diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3948558b5e..41451bb989 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ on:
       - 3.*
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
index 881e1d6bc0..3a147d5037 100644
--- a/.github/workflows/pr-comment.yml
+++ b/.github/workflows/pr-comment.yml
@@ -3,10 +3,16 @@ name: Agrega comentario a PR
 on:
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
-  pr-comment:
+  define-comment:
     name: Entradas sin traducción
     runs-on: ubuntu-22.04
+    outputs:
+      any_changed: ${{ steps.changed-files.outputs.any_changed }}
+      comment: ${{ steps.create-pr-comment.outputs.comment }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -17,9 +23,18 @@ jobs:
         with:
           python-version: "3.11"
           cache: "pip"
+      # checkout these files from the base branch to guarantee they haven't been
+      # modified by the PR
+      - uses: actions/checkout@v4
+        with:
+          path: base-branch
+          sparse-checkout-cone-mode: false
+          sparse-checkout: |
+            requirements.txt
+            scripts/list_missing_entries.py
       - name: Instalar dependencias
         run: |
-          python -m pip install -r requirements.txt
+          python -m pip install -r base-branch/requirements.txt
       - name: Obtiene lista de archivos con cambios
         id: changed-files
         uses: tj-actions/changed-files@v40
@@ -34,12 +49,20 @@ jobs:
         run: |
           {
             echo 'comment<<EOF'
-            python scripts/list_missing_entries.py --github $CHANGED_PO_FILES
+            python base-branch/scripts/list_missing_entries.py --github $CHANGED_PO_FILES
             echo EOF
           } >> "$GITHUB_OUTPUT"
+
+  write-comment:
+    runs-on: ubuntu-22.04
+    needs: [define-comment]
+    if: needs.define-comment.outputs.any_changed == 'true'
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
       - name: Agregar comentario con entradas faltantes
-        if: steps.changed-files.outputs.any_changed == 'true'
         uses: thollander/actions-comment-pull-request@v2
         with:
-          message: ${{ steps.create-pr-comment.outputs.comment }}
+          message: ${{ needs.define-comment.outputs.comment }}
           comment_tag: missing-entries
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 6004689909..7924b86358 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -3,9 +3,15 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v8
         with: