diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index 49db9c6..5d2af0c 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -14,6 +14,12 @@ on:
     paths:
       - .github/workflows/**
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   actionlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/conflibot.yml b/.github/workflows/conflibot.yml
new file mode 100644
index 0000000..e5b4d1e
--- /dev/null
+++ b/.github/workflows/conflibot.yml
@@ -0,0 +1,31 @@
+name: Check pull requests for conflicts
+
+on:
+  pull_request_target:
+    types: [ opened, synchronize, reopened ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  conflibot:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: wktk/conflibot@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: ""
diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml
index 011f4c5..ece2c40 100644
--- a/.github/workflows/create-release-pr.yml
+++ b/.github/workflows/create-release-pr.yml
@@ -7,6 +7,12 @@ name: Create release pull request
 on:
   workflow_dispatch:
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   create-release-pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/metacheck.yml b/.github/workflows/metacheck.yml
index 202cfaa..387d940 100644
--- a/.github/workflows/metacheck.yml
+++ b/.github/workflows/metacheck.yml
@@ -10,6 +10,12 @@ on:
   pull_request:
     types: [ opened, synchronize, reopened ]  # Same as default
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   meta-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index 63d806e..952c795 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -7,6 +7,12 @@ on:
   pull_request:
     types: [ opened ]
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   pr-labeler:
     if: github.event.pull_request.head.repo.fork == false # Skip on public fork
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index 39429bc..7bed15e 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -13,6 +13,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   release-drafter:
     if: github.repository_owner == 'nowsprinting' # Skip on forked repo
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 772b5cc..1fbfc7f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,12 @@ on:
     paths:
       - package.json
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   check-bump-version:
     if: github.repository_owner == 'nowsprinting' # Skip on forked repo
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6f8cfd6..e32efb5 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,6 +22,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   test:
     if: github.event.pull_request.head.repo.fork == false # Skip on public fork, because can not read secrets.