diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
index 02d04a47..e9dd9462 100644
--- a/.github/workflows/gosec.yml
+++ b/.github/workflows/gosec.yml
@@ -1,6 +1,8 @@
 # GoSec Security Checker
 # This workflow runs gosec to check Go code for security issues
 name: GoSec Security Checker
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml
index a4d1e88f..4db9dd90 100644
--- a/.github/workflows/markdownlint.yml
+++ b/.github/workflows/markdownlint.yml
@@ -1,6 +1,8 @@
 # Markdown Lint
 # This workflow runs markdownlint on all Markdown files in the repository
 name: Markdown Lint
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/metrics.yml b/.github/workflows/metrics.yml
index 0efbe638..e3e89090 100644
--- a/.github/workflows/metrics.yml
+++ b/.github/workflows/metrics.yml
@@ -1,6 +1,8 @@
 # GitHub Metrics
 # This workflow generates a metrics SVG and commits it to the repository
 name: Metrics Embed
+permissions:
+  contents: write
 
 on:
   schedule: [{cron: "0 0 * * 0"}] # every week
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
index 4bf75e0c..0a6b4a79 100644
--- a/.github/workflows/pylint.yml
+++ b/.github/workflows/pylint.yml
@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: Pylint
 
 on: [push]
diff --git a/.github/workflows/python-docs.yml b/.github/workflows/python-docs.yml
index 7ab6a7fa..5a3fd91b 100644
--- a/.github/workflows/python-docs.yml
+++ b/.github/workflows/python-docs.yml
@@ -1,6 +1,8 @@
 # Python Auto Documentation
 # This workflow auto-generates documentation using Sphinx
 name: Python Auto Documentation
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/python-style.yml b/.github/workflows/python-style.yml
index ce01c013..d1c6fc7f 100644
--- a/.github/workflows/python-style.yml
+++ b/.github/workflows/python-style.yml
@@ -1,6 +1,8 @@
 # Python Style Check
 # This workflow checks Python code style using flake8
 name: Python Style Check
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/build/azure-pipelines/publish-types/update-types.ts b/build/azure-pipelines/publish-types/update-types.ts
index 0f99b07c..3bb02b7a 100644
--- a/build/azure-pipelines/publish-types/update-types.ts
+++ b/build/azure-pipelines/publish-types/update-types.ts
@@ -16,7 +16,7 @@ try {
 
 	const dtsUri = `https://raw.githubusercontent.com/microsoft/vscode/${tag}/src/vscode-dts/vscode.d.ts`;
 	const outPath = path.resolve(process.cwd(), 'DefinitelyTyped/types/vscode/index.d.ts');
-	cp.execSync(`curl ${dtsUri} --output ${outPath}`);
+	cp.execFileSync('curl', [dtsUri, '--output', outPath]);
 
 	updateDTSFile(outPath, tag);