diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index 5088d70c34..0bbb6841d3 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -1,18 +1,41 @@
 name: Linting
 on:
-  - pull_request
+  push:
+    branches:
+      - master
+  pull_request:
+  workflow_dispatch:
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+
 jobs:
-  yamllint:
-    name: Yamllint
+  lint-ruby:
+    name: Ruby
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ruby # Latest stable CRuby version
+          bundler-cache: true
+      - name: internal_investigation
+        run: bundle exec rake internal_investigation
+
+  lint-yaml:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: write  # for karancode/yamllint-github-action to post comments on PRs
+    name: Yaml
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Yamllint
-        uses: karancode/yamllint-github-action@master
+        uses: karancode/yamllint-github-action@v3.0.0
         with:
+          yamllint_strict: true
+          yamllint_format: parsable
           yamllint_comment: true
         env:
           GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/spell_checking.yml b/.github/workflows/spell_checking.yml
index fec1e652b4..cbfbc09d60 100644
--- a/.github/workflows/spell_checking.yml
+++ b/.github/workflows/spell_checking.yml
@@ -2,6 +2,9 @@ name: Spell Checking
 
 on: [pull_request]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -14,6 +17,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: codespell-project/actions-codespell@v2
         with:
+          check_filenames: true
+          check_hidden: true
           ignore_words_file: codespell.txt
   misspell:
     name: Check spelling of all files in commit with misspell
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d029641b6e..79c174bbc7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,17 +7,17 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
   main:
-    name: Ruby ${{ matrix.ruby }}
+    name: Spec - ${{ matrix.ruby }}
     runs-on: ubuntu-latest
-    env:
-      # See https://github.com/tmm1/test-queue#environment-variables
-      TEST_QUEUE_WORKERS: 2
     strategy:
       fail-fast: false
       matrix:
@@ -25,41 +25,32 @@ jobs:
         ruby: ['2.7', '3.0', '3.1', '3.2', '3.3', 'head']
 
     steps:
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: set up Ruby
-        uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
       - name: spec
         run: bundle exec rake spec
-      - name: internal_investigation
-        run: bundle exec rake internal_investigation
 
   jruby:
-    name: JRuby 9.4
+    name: Spec - JRuby
     runs-on: ubuntu-latest
     steps:
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: set up Ruby
-        uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: jruby-9.4
+          ruby-version: jruby # Latest stable JRuby version
           bundler-cache: true
       - name: spec
         run: bundle exec rake spec
-      - name: internal_investigation
-        run: bundle exec rake internal_investigation
 
   prism:
     runs-on: ubuntu-latest
     name: Prism
     steps:
       - uses: actions/checkout@v4
-      - name: set up Ruby
-        uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@v1
         with:
           # Specify the minimum Ruby version 2.7 required for Prism to run.
           ruby-version: 2.7
@@ -74,12 +65,11 @@ jobs:
     name: Check documentation syntax
     steps:
       - uses: actions/checkout@v4
-      - name: set up Ruby
-        uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3.2
+          ruby-version: ruby # Latest stable CRuby version
           bundler-cache: true
-      - name: test
+      - name: Check documentation syntax
         run: bundle exec rake documentation_syntax_check
 
   oldest_supported_rubocop:
@@ -95,8 +85,7 @@ jobs:
           cat << EOF > Gemfile.local
             gem 'rubocop', '1.52.0' # Specify the oldest supported RuboCop version
           EOF
-      - name: set up Ruby
-        uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@v1
         with:
           ruby-version: 2.7
           bundler-cache: true