diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 0579f4b..19440b0 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -8,20 +8,40 @@ on:
     branches: [main]
   pull_request:
     branches: ['**']
+  # Allow manually re-running the check from the Actions tab.
+  workflow_dispatch:
+
+# Cancel a PR's in-progress run when a new commit supersedes it; let main-branch
+# runs finish so every commit on main stays verified.
+concurrency:
+  group: check-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+# Least privilege: the check only reads the repo.
+permissions:
+  contents: read
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
 
     strategy:
       matrix:
         node-version: ['24.14']
 
     steps:
-      - uses: actions/checkout@v2
+      # persist-credentials: false keeps the GITHUB_TOKEN out of .git/config, so a
+      # compromised build dependency can't read it. If you add a step that pushes
+      # via git (deploy, tag, generated commit), set this back to true or
+      # authenticate that step explicitly.
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node-version }}
+          cache: npm
       - run: npm ci
       - run: npx @fuzdev/gro check --workspace --build