diff --git a/.github/workflows/build_all.yml b/.github/workflows/build_all.yml
index fba00fbb61f2..19fee4a98ca4 100644
--- a/.github/workflows/build_all.yml
+++ b/.github/workflows/build_all.yml
@@ -8,6 +8,9 @@ name: Build test all components
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
 
   stub-build:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 000000000000..4f7c29d6c831
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,50 @@
+---
+name: "CodeQL Analysis"
+# yamllint disable-line rule:truthy
+on:
+  pull_request:
+    branches:
+      - 'main'
+
+permissions:
+  contents: read
+
+# Specifies group name that stops previous workflows if the name matches
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze GitHub Actions Workflows
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required to upload SARIF results
+      actions: read           # Required to read workflow information
+      contents: read          # Required to checkout repository
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['actions']  # Analyze GitHub Actions workflows
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98  # v4
+        with:
+          languages: ${{ matrix.language }}
+          # Optional: Specify custom queries
+          # queries: security-extended,security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98  # v4
+        with:
+          category: "/language:${{ matrix.language }}"
+          upload: true
+          # Upload SARIF results to GitHub Security tab
+          output: sarif-results
diff --git a/.github/workflows/codestyle.yml b/.github/workflows/codestyle.yml
index 63a076fc086a..02bb2084c12d 100644
--- a/.github/workflows/codestyle.yml
+++ b/.github/workflows/codestyle.yml
@@ -14,6 +14,9 @@ name: codestyle
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_call, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   checkpatch:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/daily-tests.yml b/.github/workflows/daily-tests.yml
index 40b90b01fe8e..139c946c3d84 100644
--- a/.github/workflows/daily-tests.yml
+++ b/.github/workflows/daily-tests.yml
@@ -13,6 +13,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
 
   # Keep in .yml alphabetical order
diff --git a/.github/workflows/ipc_fuzzer.yml b/.github/workflows/ipc_fuzzer.yml
index 9b21ca03041b..755dbf4b5d9b 100644
--- a/.github/workflows/ipc_fuzzer.yml
+++ b/.github/workflows/ipc_fuzzer.yml
@@ -22,6 +22,9 @@ on:
   pull_request:
   # TODO: can we provide a default inputs here too?
 
+permissions:
+  contents: read
+
 jobs:
 
   simple-IPC-fuzz_sh:
diff --git a/.github/workflows/llext.yml b/.github/workflows/llext.yml
index a2888b75f2f4..2958566dc7f1 100644
--- a/.github/workflows/llext.yml
+++ b/.github/workflows/llext.yml
@@ -11,6 +11,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 886d1b328ba7..f4091fdba2f4 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -31,6 +31,9 @@ on:
   # Allows to call this forkflow from other workflows
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
 
   doxygen:
diff --git a/.github/workflows/repro-build.yml b/.github/workflows/repro-build.yml
index 034ae4ac286a..56746809f993 100644
--- a/.github/workflows/repro-build.yml
+++ b/.github/workflows/repro-build.yml
@@ -14,6 +14,9 @@ name: Reproducible builds
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
   main:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/rimage.yml b/.github/workflows/rimage.yml
index b6e66c23c449..02800e45ded5 100644
--- a/.github/workflows/rimage.yml
+++ b/.github/workflows/rimage.yml
@@ -22,6 +22,9 @@ on:
     paths:
       - tools/rimage/**
 
+permissions:
+  contents: read
+
 jobs:
 
   # Basic build test
diff --git a/.github/workflows/sof-docs.yml b/.github/workflows/sof-docs.yml
index 5920c51aaad5..63af4acfc714 100644
--- a/.github/workflows/sof-docs.yml
+++ b/.github/workflows/sof-docs.yml
@@ -17,6 +17,9 @@ on:
   # Allows to call this forkflow from other workflows
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
 
   # This is unfortunately a mix of sof-docs/.github/ + pull-request.yml#doxygen
diff --git a/.github/workflows/sparse-zephyr.yml b/.github/workflows/sparse-zephyr.yml
index e66856691dcb..02777f940fae 100644
--- a/.github/workflows/sparse-zephyr.yml
+++ b/.github/workflows/sparse-zephyr.yml
@@ -11,6 +11,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   # As of sparse commit ce1a6720f69e / Sept 2022, the exit status of
   # sparse.c is an unusable mess and always zero in practice. Moreover
diff --git a/.github/workflows/testbench.yml b/.github/workflows/testbench.yml
index c6d16920abd0..290fe8e56dee 100644
--- a/.github/workflows/testbench.yml
+++ b/.github/workflows/testbench.yml
@@ -28,6 +28,9 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml
index 9c8197a6cbcc..108a3015d16a 100644
--- a/.github/workflows/tools.yml
+++ b/.github/workflows/tools.yml
@@ -7,6 +7,9 @@ name: User space tools/ directory
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
   # This is not the same as building every ./build-tools.sh option.
   top-level_default_CMake_target_ALL:
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 391807f6a336..de8577e87171 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -10,6 +10,9 @@ name: Unit tests
 # yamllint disable-line rule:truthy
 on: [pull_request, workflow_dispatch, workflow_call]
 
+permissions:
+  contents: read
+
 jobs:
   cmocka_utests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml
index 06b6cc3d7ee9..1e2728f3c0fa 100644
--- a/.github/workflows/zephyr.yml
+++ b/.github/workflows/zephyr.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   manifest-check:
     runs-on: ubuntu-latest
@@ -395,7 +398,7 @@ jobs:
       # https://github.com/actions/runner-images/blob/win22/20230918.1/images/win/Windows2022-Readme.md
       # Is it not good enough? Maybe it could save 20-30s.
       - name: Initialize MSYS2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d  # v2
         with:
           msystem: MSYS
           install: gcc openssl-devel