diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6ada163..fdce902 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,16 +1,62 @@
 version: 2
 updates:
-  - package-ecosystem: "nuget"
-    directory: "/"
+  #  https://devblogs.microsoft.com/dotnet/using-dependabot-to-manage-dotnet-sdk-updates/
+  - package-ecosystem: "dotnet-sdk"
+    directory: /
     schedule:
       interval: "weekly"
-      day: "sunday"
+      day: "tuesday"
+    open-pull-requests-limit: 1
+
+  # NuGet package updates for SRC
+  - package-ecosystem: nuget
+    directory: /src
+    schedule:
+      interval: weekly
+      day: sunday
     open-pull-requests-limit: 3
     rebase-strategy: disabled
-  - package-ecosystem: "github-actions"
-    directory: "/"
+    groups:
+      microsoft-sbom:
+        patterns: ['Microsoft.Sbom.*']
+      testcontainers:
+        patterns: ['Testcontainers*']
+      # Grouping for .NET packages (Monorepo)
+      microsoft:
+        patterns: [Microsoft.*, System.*]
+      all-dependencies:
+        patterns: ['*']
+
+  # NuGet package updates for TESTS
+  - package-ecosystem: nuget
+    directory: /tests
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: weekly
+      day: sunday
+    open-pull-requests-limit: 3
+    rebase-strategy: disabled
+    groups:
+      test-dependencies:
+        patterns: ['coverlet.collector', 'Microsoft.NET.Test.Sdk']
+      xunit:
+        patterns: [xunit.*]
+      # Grouping for Testcontainers
+      testcontainers:
+        patterns: ['Testcontainers*']
+      kafka:
+        patterns: ['Confluent.Kafka']
+      rabbitmq:
+        patterns: ['RabbitMQ.Client']
+      restassured:
+        patterns: ['RestAssured.Net']
+      all-dependencies:
+        patterns: ['*']
+
+# Github Actions updates
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: sunday
     open-pull-requests-limit: 3
     rebase-strategy: disabled
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 8d25603..319363c 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -24,6 +24,8 @@ permissions: read-all
 jobs:
   version:
     name: Define Version
+    permissions:
+      contents: read
     uses: ./.github/workflows/steps.dotnet-version.yml
     with:
       runs-on: ubuntu-latest
diff --git a/.github/workflows/steps.dotnet-build-test.yml b/.github/workflows/steps.dotnet-build-test.yml
index 66f3d1a..faae090 100644
--- a/.github/workflows/steps.dotnet-build-test.yml
+++ b/.github/workflows/steps.dotnet-build-test.yml
@@ -23,6 +23,8 @@
       publish-package:
         description: 'Publish package is enabled ?'
         value: ${{ jobs.build_test.outputs.publish-package }}
+permissions: read-all
+
 jobs:
   build_test:
     runs-on: ${{ inputs.runs-on }}
diff --git a/.github/workflows/steps.dotnet-nuget-publish.yml b/.github/workflows/steps.dotnet-nuget-publish.yml
index 6ad0af8..f3231d5 100644
--- a/.github/workflows/steps.dotnet-nuget-publish.yml
+++ b/.github/workflows/steps.dotnet-nuget-publish.yml
@@ -8,6 +8,8 @@ on:
     secrets:
       NUGET_KEY:
         required: true
+permissions: read-all
+
 jobs:
   nuget-publish:
     if: ${{ github.event_name != 'pull_request' && github.repository == 'microcks/microcks-testcontainers-dotnet' }}
diff --git a/.github/workflows/steps.dotnet-version.yml b/.github/workflows/steps.dotnet-version.yml
index 60fb37e..e83df37 100644
--- a/.github/workflows/steps.dotnet-version.yml
+++ b/.github/workflows/steps.dotnet-version.yml
@@ -15,6 +15,8 @@
       majorMinorPatch:
         description: 'majorMinorPatch (gitversion)'
         value: ${{ jobs.define_version.outputs.majorMinorPatch }}
+permissions: read-all
+
 jobs:
   define_version:
     runs-on: ${{ inputs.runs-on }}
diff --git a/.github/workflows/steps.github-release-draft.yml b/.github/workflows/steps.github-release-draft.yml
index 79df02f..07ce102 100644
--- a/.github/workflows/steps.github-release-draft.yml
+++ b/.github/workflows/steps.github-release-draft.yml
@@ -12,6 +12,9 @@
 jobs:
   release_drafter:
     if: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/main' }}
+    permissions:
+      contents: write
+      deployments: write
     runs-on: ${{ inputs.runs-on }}
     steps:
     - name: 🔄 Checkout
diff --git a/.github/workflows/steps.publish-test-reporter.yml b/.github/workflows/steps.publish-test-reporter.yml
index 76802b9..b291f24 100644
--- a/.github/workflows/steps.publish-test-reporter.yml
+++ b/.github/workflows/steps.publish-test-reporter.yml
@@ -5,6 +5,10 @@
         required: false
         type: string
         default: 'ubuntu-latest'
+permissions:
+  contents: read
+  actions: read
+  checks: write
 
 jobs:
   report:
diff --git a/global.json b/global.json
index 39c53b8..040dbd0 100644
--- a/global.json
+++ b/global.json
@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "8.0.200",
+    "version": "9.0.303",
     "rollForward": "latestMinor"
   }
 }