diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 3f14b82f..6e3dd3be 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -10,11 +10,7 @@ on:
   pull_request_review:
     types: [submitted]
 
-permissions:
-  contents: read
-  pull-requests: read
-  issues: read
-  id-token: write
+permissions: read-all
 
 jobs:
   claude:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5efaa8aa..b14a5af2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,14 +13,14 @@ on:
     - cron: '0 0 * * 0'
   workflow_dispatch:
 
-permissions:
-  contents: read
-  security-events: write
+permissions: read-all
 
 jobs:
   changes:
     name: Detect Changes
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     # Only run path detection for push/pull_request events
     if: github.event_name == 'push' || github.event_name == 'pull_request'
     outputs:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index e8a3b34c..c709d08d 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -4,13 +4,14 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened]
 
-permissions:
-  contents: read
-  pull-requests: write
+permissions: read-all
 
 jobs:
   label:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Apply labels based on changed files
         uses: actions/labeler@v5
diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml
index db6aff48..e3aed69c 100644
--- a/.github/workflows/pr-tests.yml
+++ b/.github/workflows/pr-tests.yml
@@ -46,14 +46,30 @@ jobs:
     secrets: inherit
 
   skip-tests:
-    name: Run Unity Tests
+    name: Skip Unity Tests
     needs: changes
     if: needs.changes.outputs.should_test == 'false'
     runs-on: ubuntu-latest
+    permissions:
+      statuses: write
     steps:
       - name: Skip tests
         run: echo "No relevant changes detected, skipping tests"
 
+      - name: Set PR check status (skipped)
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: context.payload.pull_request.head.sha,
+              state: 'success',
+              target_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
+              description: 'Skipped - no relevant changes',
+              context: 'Unity Tests'
+            });
+
   upload-coverage:
     name: Upload Coverage
     needs: [changes, run-tests]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6d790186..c60e71a3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,8 +26,7 @@ on:
         required: false
         type: string
 
-permissions:
-  contents: write
+permissions: read-all
 
 jobs:
   validate:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index ba856851..17e04ce8 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -6,13 +6,14 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
-permissions:
-  issues: write
-  pull-requests: write
+permissions: read-all
 
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Mark stale issues and PRs
         uses: actions/stale@v9