diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 00c000033..a45030ac8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,8 @@ on:
     branches: [ '**' ]
   workflow_dispatch:
 
+permissions: {}
+
 env:
   CARGO_TERM_COLOR: always
   RUSTFLAGS: '-D warnings'
@@ -49,6 +51,8 @@ jobs:
         if: ${{ contains(matrix.container, 'opensuse') }}
       - run: useradd -m -g users user && su user && cd ~
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: dtolnay/rust-toolchain@nightly
         id: rust-toolchain
         with:
@@ -71,6 +75,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@stable
       id: rust-toolchain
       with:
@@ -91,7 +97,19 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@nightly
       with:
         components: rustfmt
     - run: cargo fmt --all -- --check
+
+  spelling:
+    name: Spell Check with Typos
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Spell Check Repo
+        uses: crate-ci/typos@v1.29.8
diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml
index fe80c30ce..69ffd14aa 100644
--- a/.github/workflows/cron.yml
+++ b/.github/workflows/cron.yml
@@ -5,9 +5,14 @@ on:
 
 name: Cron continuous integration
 
+permissions: {}
+
 jobs:
   markdown-link-check:
+    if: github.repository_owner == 'davidlattimore'
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: gaurav-nelson/github-action-markdown-link-check@v1