diff --git a/.github/workflows/build_push_concheck.yaml b/.github/workflows/build_push_concheck.yaml
index 44a2b0f..b5e0ad5 100644
--- a/.github/workflows/build_push_concheck.yaml
+++ b/.github/workflows/build_push_concheck.yaml
@@ -28,7 +28,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ secrets.GH_USERNAME }}
-          password: ${{ secrets.GH_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
       - name: Build and push concheck
         uses: docker/build-push-action@v2
         with:
diff --git a/.github/workflows/build_push_controller.yaml b/.github/workflows/build_push_controller.yaml
index 02bbb6a..fc4fc71 100644
--- a/.github/workflows/build_push_controller.yaml
+++ b/.github/workflows/build_push_controller.yaml
@@ -52,7 +52,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ secrets.GH_USERNAME }}
-          password: ${{ secrets.GH_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
       - name: Build and push bundle
         uses: docker/build-push-action@v2
         with:
@@ -82,7 +82,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ secrets.GH_USERNAME }}
-          password: ${{ secrets.GH_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
       - name: Build and push controller
         uses: docker/build-push-action@v2
         with:
diff --git a/.github/workflows/build_push_daemon.yaml b/.github/workflows/build_push_daemon.yaml
index 8b4b80e..ad32069 100644
--- a/.github/workflows/build_push_daemon.yaml
+++ b/.github/workflows/build_push_daemon.yaml
@@ -33,7 +33,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ secrets.GH_USERNAME }}
-          password: ${{ secrets.GH_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
       - name: Build and push daemon
         uses: docker/build-push-action@v2
         with:
diff --git a/.github/workflows/build_push_kbuilder.yaml b/.github/workflows/build_push_kbuilder.yaml
index c6b5165..994b8c7 100644
--- a/.github/workflows/build_push_kbuilder.yaml
+++ b/.github/workflows/build_push_kbuilder.yaml
@@ -27,7 +27,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ secrets.GH_USERNAME }}
-          password: ${{ secrets.GH_TOKEN }}
+          password: ${{ secrets.GHCR_TOKEN }}
       - name: Build and push
         uses: docker/build-push-action@v2
         with:
diff --git a/.github/workflows/commit-lint.yaml b/.github/workflows/commit-lint.yaml
index 485f216..662bb93 100644
--- a/.github/workflows/commit-lint.yaml
+++ b/.github/workflows/commit-lint.yaml
@@ -2,9 +2,7 @@ name: commit-lint
 on:
   pull_request:
 
-permissions:
-  contents: read
-  pull-requests: read
+permissions: read-all
 
 jobs:
   commitlint:
diff --git a/.github/workflows/daemon_unittest.yaml b/.github/workflows/daemon_unittest.yaml
index fe76292..2b72eeb 100644
--- a/.github/workflows/daemon_unittest.yaml
+++ b/.github/workflows/daemon_unittest.yaml
@@ -8,6 +8,8 @@ on:
       - cni/**
       - Makefile
 
+permissions: read-all
+
 jobs:
   daemon-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
index 5d74fac..4f12ff3 100644
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@@ -3,6 +3,8 @@ on:
   pull_request:
   push:
 
+permissions: read-all
+
 env:
   GOLANGCI_LINT_VERSION: v1.64.8
 
diff --git a/.github/workflows/integration_test.yaml b/.github/workflows/integration_test.yaml
index e58bd0c..fe7c23a 100644
--- a/.github/workflows/integration_test.yaml
+++ b/.github/workflows/integration_test.yaml
@@ -16,6 +16,8 @@ on:
       - ./*/go.mod
       - ./*/src/go.mod
 
+permissions: read-all
+
 jobs:
   scale-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/unittest.yaml b/.github/workflows/unittest.yaml
index f51a26e..018a209 100644
--- a/.github/workflows/unittest.yaml
+++ b/.github/workflows/unittest.yaml
@@ -13,8 +13,9 @@ on:
       - ./*/go.mod
       - ./*/src/go.mod
 
-jobs:
+permissions: read-all
 
+jobs:
   controller-test:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/version-update.yml b/.github/workflows/version-update.yml
index 0b2a66b..a8b05a8 100644
--- a/.github/workflows/version-update.yml
+++ b/.github/workflows/version-update.yml
@@ -1,4 +1,4 @@
-name: "Automated Version Update"
+name: "Create Version Update PR"
 
 permissions:
   contents: write
@@ -36,7 +36,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ secrets.GHCR_TOKEN }}
 
       - name: Configure Git
         run: |
@@ -76,7 +76,7 @@ jobs:
         if: steps.check_changes.outputs.changes == 'true'
         uses: peter-evans/create-pull-request@v5
         with:
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ secrets.GHCR_TOKEN }}
           branch: chore/update-version-${{ env.NEW_VERSION }}
           base: main
           delete-branch: true
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 0000000..39b9d4b
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,8 @@
+##############################################################
+#
+# List of approvers/reviewers for Multi-NIC CNI project
+#
+##############################################################
+
+# All files in workflows folder must be approved by listed active maintainers.
+.github/workflows/* @sunya-ch @tatsuhirochiba @chcost
\ No newline at end of file