diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 70774ed..53fc337 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -15,13 +15,17 @@ updates:
     open-pull-requests-limit: 10
 
   - package-ecosystem: "docker"
-    directory: "/"
+    directories:
+      - "/**/*"
     rebase-strategy: disabled
     schedule:
       interval: "cron"
       cronjob: "30 1 * * *"
       timezone: "America/New_York"
     open-pull-requests-limit: 10
+    groups:
+      monorepo-dependencies:
+        group-by: dependency-name
 
   - package-ecosystem: "github-actions"
     directories:
@@ -35,6 +39,8 @@ updates:
       timezone: "America/New_York"
     open-pull-requests-limit: 10
     groups:
+      monorepo-dependencies:
+        group-by: dependency-name
       docker-actions:
         applies-to: version-updates
         patterns:
@@ -81,7 +87,8 @@ updates:
     open-pull-requests-limit: 10
 
   - package-ecosystem: "pip"
-    directory: "/"
+    directories:
+      - "/**/*"
     rebase-strategy: disabled
     schedule:
       interval: "cron"
@@ -89,6 +96,8 @@ updates:
       timezone: "America/New_York"
     open-pull-requests-limit: 10
     groups:
+      monorepo-dependencies:
+        group-by: dependency-name
       pytest-dependencies:
         applies-to: version-updates
         patterns:
diff --git a/.github/workflows/_codeql.yml b/.github/workflows/_codeql.yml
index 15c5a6f..5569a2e 100644
--- a/.github/workflows/_codeql.yml
+++ b/.github/workflows/_codeql.yml
@@ -4,16 +4,13 @@
 # the above-mentioned repo.
 
 name: CodeQL
-permissions:
-  actions: read
-  contents: read
-  security-events: write
+permissions: {}
 
 on:
+  pull_request:
   push:
     branches:
       - master
-  pull_request:
   schedule:
     - cron: '00 12 * * 0'  # every Sunday at 12:00 UTC
 
@@ -26,3 +23,7 @@ jobs:
     name: CodeQL
     uses: LizardByte/.github/.github/workflows/__call-codeql.yml@master
     if: ${{ github.repository != 'LizardByte/.github' }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
diff --git a/.github/workflows/_common-lint.yml b/.github/workflows/_common-lint.yml
index 80be0cc..276fca5 100644
--- a/.github/workflows/_common-lint.yml
+++ b/.github/workflows/_common-lint.yml
@@ -4,8 +4,7 @@
 # the above-mentioned repo.
 
 name: common lint
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -19,3 +18,6 @@ jobs:
     name: Common Lint
     uses: LizardByte/.github/.github/workflows/__call-common-lint.yml@master
     if: ${{ github.repository != 'LizardByte/.github' }}
+    permissions:
+      contents: read
+      pull-requests: read