diff --git a/.github/workflows/load-test.yml b/.github/workflows/load-test.yml
index 77186f8..9e1617d 100644
--- a/.github/workflows/load-test.yml
+++ b/.github/workflows/load-test.yml
@@ -26,6 +26,11 @@ on:
   #   # Run smoke test nightly at 2am UTC
   #   - cron: '0 2 * * *'
 
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
 env:
   K6_VERSION: '0.47.0'
 
diff --git a/.github/workflows/nightly-security.yml b/.github/workflows/nightly-security.yml
index 37039e5..3f9e98c 100644
--- a/.github/workflows/nightly-security.yml
+++ b/.github/workflows/nightly-security.yml
@@ -7,6 +7,10 @@ on:
   #   - cron: '0 1 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   full-security-audit:
     name: Complete Security Audit
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 7e05010..fab5426 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -10,6 +10,11 @@ on:
   #   # Run weekly on Monday at 9am UTC
   #   - cron: '0 9 * * 1'
 
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
 jobs:
   brakeman:
     name: Brakeman Security Scan
diff --git a/app/controllers/api/v1/dashboard_controller.rb b/app/controllers/api/v1/dashboard_controller.rb
index 8db68de..bf2d52c 100644
--- a/app/controllers/api/v1/dashboard_controller.rb
+++ b/app/controllers/api/v1/dashboard_controller.rb
@@ -109,8 +109,11 @@ def active_goals_data
   def roster_status_data
     players = organization_scoped(Player).includes(:champion_pools)
 
+    # Order by role to ensure consistent order in by_role hash
+    by_role_ordered = players.ordered_by_role.group(:role).count
+
     {
-      by_role: players.group(:role).count,
+      by_role: by_role_ordered,
       by_status: players.group(:status).count,
       contracts_expiring: players.contracts_expiring_soon.count
     }
diff --git a/app/controllers/api/v1/players_controller.rb b/app/controllers/api/v1/players_controller.rb
index fc57778..0fa1e51 100644
--- a/app/controllers/api/v1/players_controller.rb
+++ b/app/controllers/api/v1/players_controller.rb
@@ -14,8 +14,8 @@ def index
       players = players.where('summoner_name ILIKE ? OR real_name ILIKE ?', search_term, search_term)
     end
 
-    # Pagination
-    result = paginate(players.order(:role, :summoner_name))
+    # Pagination - order by role (top, jungle, mid, adc, support) then by name
+    result = paginate(players.ordered_by_role.order(:summoner_name))
 
     render_success({
       players: PlayerSerializer.render_as_hash(result[:data]),
diff --git a/app/models/player.rb b/app/models/player.rb
index fd9e117..05be110 100644
--- a/app/models/player.rb
+++ b/app/models/player.rb
@@ -38,6 +38,18 @@ class Player < ApplicationRecord
     where(contract_end_date: Date.current..Date.current + days.days)
   }
   scope :by_tier, ->(tier) { where(solo_queue_tier: tier) }
+  scope :ordered_by_role, -> {
+    order(Arel.sql(
+      "CASE role
+        WHEN 'top' THEN 1
+        WHEN 'jungle' THEN 2
+        WHEN 'mid' THEN 3
+        WHEN 'adc' THEN 4
+        WHEN 'support' THEN 5
+        ELSE 6
+      END"
+    ))
+  }
 
   # Instance methods
   def current_rank_display