diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6299df0..3434796 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
         branches:
             - main
 
+permissions:
+    contents: read
+
 env:
     RUSTFLAGS: '-Dwarnings'
 
@@ -19,19 +22,16 @@ jobs:
               uses: actions/checkout@v5
 
             - name: Set up Rust toolchain
-              run: rustup toolchain install nightly --no-self-update --profile default --target wasm32-unknown-unknown
-
-            - name: Set up Rust cache
-              uses: swatinem/rust-cache@v2
+              uses: actions-rust-lang/setup-rust-toolchain@v1
               with:
-                  cache-on-failure: true
-                  save-if: ${{ github.ref == 'refs/heads/main' }}
+                  components: clippy, rustfmt
+                  target: wasm32-unknown-unknown
 
             - name: Check formatting
               run: cargo fmt --all --check
 
             - name: Lint
-              run: cargo clippy --all-features
+              run: cargo clippy --all-features --locked
 
             - name: Test
-              run: cargo test --all-features
+              run: cargo test --all-features --locked --release
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 1bfab0d..db6f1f8 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -3,6 +3,10 @@ name: Labels
 on:
     workflow_dispatch:
 
+permissions:
+    contents: read
+    issues: write
+
 jobs:
     sync-labels:
         name: Sync Labels
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 41d9078..c4d3e34 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ on:
                     - minor
                     - major
 
+permissions:
+    contents: write
+
 jobs:
     release:
         name: Release
@@ -29,13 +32,10 @@ jobs:
               uses: actions/checkout@v5
 
             - name: Set up Rust toolchain
-              run: rustup toolchain install nightly --no-self-update --profile default --target wasm32-unknown-unknown
-
-            - name: Set up Rust cache
-              uses: swatinem/rust-cache@v2
+              uses: actions-rust-lang/setup-rust-toolchain@v1
               with:
-                  cache-on-failure: true
-                  save-if: ${{ github.ref == 'refs/heads/main' }}
+                  components: clippy, rustfmt
+                  target: wasm32-unknown-unknown
 
             - name: Install Cargo Binary Install
               uses: cargo-bins/cargo-binstall@main
diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml
index e6d4df1..5a9f230 100644
--- a/.github/workflows/upstream.yml
+++ b/.github/workflows/upstream.yml
@@ -26,15 +26,10 @@ jobs:
               uses: actions/checkout@v5
 
             - name: Set up Rust toolchain
-              run: |
-                  rustup toolchain install nightly --no-self-update --profile default
-                  rustup target add wasm32-unknown-unknown
-
-            - name: Set up Rust cache
-              uses: swatinem/rust-cache@v2
+              uses: actions-rust-lang/setup-rust-toolchain@v1
               with:
-                  cache-on-failure: true
-                  save-if: ${{ github.ref == 'refs/heads/main' }}
+                  components: clippy, rustfmt
+                  target: wasm32-unknown-unknown
 
             - name: Install Cargo Binary Install
               uses: cargo-bins/cargo-binstall@main
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
index c89b9c6..44dad63 100644
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@@ -5,6 +5,9 @@ on:
         branches:
             - main
 
+permissions:
+    contents: read
+
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: false
@@ -13,19 +16,15 @@ jobs:
     book-test:
         name: Test Book
         runs-on: ubuntu-latest
+
         steps:
             - uses: actions/checkout@v5
 
             - name: Set up Rust toolchain
-              run: |
-                  rustup toolchain install stable --no-self-update --profile minimal
-                  rustup target add wasm32-unknown-unknown
-
-            - name: Set up Rust cache
-              uses: swatinem/rust-cache@v2
+              uses: actions-rust-lang/setup-rust-toolchain@v1
               with:
-                  cache-on-failure: true
-                  save-if: ${{ github.ref == 'refs/heads/main' }}
+                  components: clippy, rustfmt
+                  target: wasm32-unknown-unknown
 
             - name: Install Cargo Binary Install
               uses: cargo-bins/cargo-binstall@main
@@ -41,21 +40,17 @@ jobs:
         name: Build Book
         needs: book-test
         runs-on: ubuntu-latest
+
         steps:
             - uses: actions/checkout@v5
               with:
                   fetch-depth: 0
 
             - name: Set up Rust toolchain
-              run: |
-                  rustup toolchain install stable --no-self-update --profile minimal
-                  rustup target add wasm32-unknown-unknown
-
-            - name: Set up Rust cache
-              uses: swatinem/rust-cache@v2
+              uses: actions-rust-lang/setup-rust-toolchain@v1
               with:
-                  cache-on-failure: true
-                  save-if: ${{ github.ref == 'refs/heads/main' }}
+                  components: clippy, rustfmt
+                  target: wasm32-unknown-unknown
 
             - name: Install Cargo Binary Install
               uses: cargo-bins/cargo-binstall@main
@@ -87,10 +82,12 @@ jobs:
         needs: book-build
         if: github.ref == 'refs/heads/main'
         runs-on: ubuntu-latest
+
         permissions:
             contents: read
             pages: write
             id-token: write
+
         steps:
             - uses: actions/checkout@v5
               with: