diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fc9f1ab..f739f3a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,12 +1,14 @@
+name: Build and upload binaries
 on:
   release:
     types: [published]
   push:
   pull_request:
-name: Build binaries
+permissions:
+  contents: read
 jobs:
-  binaries:
-    name: Build and upload
+  build:
+    name: Build binaries
     runs-on: ubuntu-latest
     steps:
       - name: Install Go
@@ -47,9 +49,20 @@ jobs:
         with:
           name: age-binaries
           path: age-*
+  upload:
+    name: Upload release binaries
+    if: ${{ github.event_name == 'release' }}
+    needs: build
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download workflow artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: age-binaries
       - name: Upload release artifacts
         uses: actions/github-script@v3
-        if: ${{ github.event_name == 'release' }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/gotip.yml b/.github/workflows/gotip.yml
index 249c227..19e7f3b 100644
--- a/.github/workflows/gotip.yml
+++ b/.github/workflows/gotip.yml
@@ -1,5 +1,7 @@
 on: [push, pull_request]
 name: Go tip tests
+permissions:
+  contents: read
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/interop.yml b/.github/workflows/interop.yml
index f9afa50..4b548e6 100644
--- a/.github/workflows/interop.yml
+++ b/.github/workflows/interop.yml
@@ -1,5 +1,7 @@
 name: Interoperability tests
 on: push
+permissions:
+  contents: read
 jobs:
   trigger:
     name: Trigger
diff --git a/.github/workflows/ronn.yml b/.github/workflows/ronn.yml
index 653857e..c4a4bad 100644
--- a/.github/workflows/ronn.yml
+++ b/.github/workflows/ronn.yml
@@ -1,14 +1,16 @@
+name: Generate man pages
 on:
   push:
     branches:
       - '**'
     paths:
       - '**.ronn'
-name: Generate man pages
+permissions:
+  contents: read
 jobs:
   ronn:
-    runs-on: ubuntu-latest
     name: Ronn
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -24,10 +26,29 @@ jobs:
             awk '/Filippo Valsorda/ { $0 = "<p>Filippo Valsorda <a href=\"mailto:age@filippo.io\" data-bare-link=\"true\">age@filippo.io</a></p>" } { print }' "$f" > "$f.tmp"
             mv "$f.tmp" "$f"
           done
+      - name: Upload generated files
+        uses: actions/upload-artifact@v2
+        with:
+          name: man-pages-html
+          path: doc/*.html
+  commit:
+    name: Commit changes
+    needs: ronn
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Download generated files
+        uses: actions/download-artifact@v2
+        with:
+          name: man-pages-html
+          path: doc/
       - name: Commit and push if changed
         run: |-
           git config user.name "GitHub Actions"
           git config user.email "actions@users.noreply.github.com"
-          git add -A
+          git add doc/
           git commit -m "doc: regenerate groff and html man pages" || exit 0
           git push
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f24c144..8871230 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,7 @@
-on: [push, pull_request]
 name: Go tests
+on: [push, pull_request]
+permissions:
+  contents: read
 jobs:
   test:
     name: Test