diff --git a/.github/linters/.secretlintrc.json b/.github/linters/.secretlintrc.json
new file mode 100644
index 0000000000..5a24d36274
--- /dev/null
+++ b/.github/linters/.secretlintrc.json
@@ -0,0 +1,15 @@
+{
+  "rules": [
+    {
+      "id": "@secretlint/secretlint-rule-preset-recommend",
+      "rules": [
+        {
+          "id": "@secretlint/secretlint-rule-basicauth",
+          "options": {
+            "allows": [ "/secret/i" ]
+          }
+        }
+      ]
+    }
+  ]
+}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e6506f88bb..b7dce98df5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,6 +5,8 @@ name: Build documentation
 
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   build:
     name: Build with Hugo
diff --git a/.github/workflows/build_pr_preview.yml b/.github/workflows/build_pr_preview.yml
index 287d649a26..4315a0f2a1 100644
--- a/.github/workflows/build_pr_preview.yml
+++ b/.github/workflows/build_pr_preview.yml
@@ -8,6 +8,8 @@ on:
     # Run when label is added or present and when pushing to the PR
     types: [labeled, opened, synchronize]
 
+permissions: read-all
+
 jobs:
   build_preview:
     # Do not run on forks, and only if "safe for preview" label is set
diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml
index 97a6129073..135493ae48 100644
--- a/.github/workflows/check-links.yml
+++ b/.github/workflows/check-links.yml
@@ -7,6 +7,8 @@ on:
     # run on Sundays morning
     - cron: '32 9 * * 0'
 
+permissions: read-all
+
 jobs:
   markdown-link-check:
     name: Check links using markdown-link-check
diff --git a/.github/workflows/delete_pr_preview.yml b/.github/workflows/delete_pr_preview.yml
index 56459927ee..17c16b4fab 100644
--- a/.github/workflows/delete_pr_preview.yml
+++ b/.github/workflows/delete_pr_preview.yml
@@ -6,6 +6,8 @@ on:
     # Run when label is removed or pull request closed
     types: [unlabeled, closed]
 
+permissions: read-all
+
 jobs:
   delete_preview:
     # Do not run on forks, and only if "safe for preview" label is set
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index cfe4af1feb..8be1207240 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -10,6 +10,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   deploy:
     name: Build using Hugo and deploy
diff --git a/.github/workflows/deploy_pr_preview.yml b/.github/workflows/deploy_pr_preview.yml
index 8de352d305..547b214ad2 100644
--- a/.github/workflows/deploy_pr_preview.yml
+++ b/.github/workflows/deploy_pr_preview.yml
@@ -13,6 +13,8 @@ on:
     workflows: ["Build pull request preview"]
     types: [completed]
 
+permissions: read-all
+
 jobs:
   deploy_pr_preview:
     # Only run if PR preview build was successful
@@ -58,9 +60,6 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           # Purge older files from a given PR
           keep_files: false
-          # Accessible at http://docs.egi.eu/documentation/
-          # XXX use a different domain
-          # cname: docs.egi.eu
           # Branch to push to
           publish_branch: pr_previews
           # Source directory
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index e603031318..4e6cb4c4d6 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -4,6 +4,8 @@ name: Lint
 on:
   pull_request:
 
+permissions: read-all
+
 jobs:
   super-lint:
     name: Lint with Super-Linter
diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
new file mode 100644
index 0000000000..4a57414e4d
--- /dev/null
+++ b/.github/workflows/mega-linter.yml
@@ -0,0 +1,122 @@
+---
+# MegaLinter GitHub Action configuration file
+# More info at https://megalinter.io
+name: MegaLinter
+
+on:
+  # Trigger mega-linter at every push. Action will also be visible from Pull Requests to main
+  push:
+  pull_request:
+    branches: [main]
+
+permissions: read-all
+
+env:
+  # Apply linter fixes configuration
+  # When active, APPLY_FIXES must also be defined as environment variable
+  # (in github/workflows/mega-linter.yml or other CI tool)
+  APPLY_FIXES: all
+  APPLY_FIXES_EVENT: pull_request
+  # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)
+  APPLY_FIXES_MODE: pull_request
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  megalinter:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+    permissions:
+      # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR
+      # Remove the ones you do not need
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      # Git Checkout
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances
+          fetch-depth: 0
+
+      # MegaLinter
+      - name: MegaLinter
+        id: ml
+        # You can override MegaLinter flavor used to have faster performances
+        # More info at https://megalinter.io/flavors/
+        uses: oxsecurity/megalinter/flavors/documentation@v8
+        env:
+          # All available variables are described in documentation
+          # https://megalinter.io/configuration/
+          # Validates all source when push on main, else just the git diff with main.
+          # Override with true if you always want to lint all sources
+          VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
+          DISABLE: COPYPASTE
+          DISABLE_LINTERS: REPOSITORY_GRYPE,REPOSITORY_TRIVY,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL
+          # Scan only changes in PR, otherwise scan everything
+          REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: ${{ github.event_name == 'pull_request' }}
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        if: success() || failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: MegaLinter reports
+          path: |
+            megalinter-reports
+            mega-linter.log
+
+      # Create pull request if applicable (for now works only on PR from same repository, not from forks)
+      - name: Create Pull Request with applied fixes
+        id: cpr
+        if: steps.ml.outputs.has_updated_sources == 1 &&
+            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT ==
+            github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' &&
+            (github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository) &&
+            !contains(github.event.head_commit.message, 'skip fix')
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          commit-message: "[MegaLinter] Apply linters automatic fixes"
+          title: "[MegaLinter] Apply linters automatic fixes"
+          labels: bot
+      - name: Create PR output
+        if: steps.ml.outputs.has_updated_sources == 1 &&
+            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT ==
+            github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' &&
+            (github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository) &&
+            !contains(github.event.head_commit.message, 'skip fix')
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
+
+      # Push new commit if applicable (for now works only on PR from same repository, not from forks)
+      - name: Prepare commit
+        if: steps.ml.outputs.has_updated_sources == 1 &&
+            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT ==
+            github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref
+            != 'refs/heads/main' && (github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository) &&
+            !contains(github.event.head_commit.message, 'skip fix')
+        run: sudo chown -Rc $UID .git/
+      - name: Commit and push applied linter fixes
+        if: steps.ml.outputs.has_updated_sources == 1 &&
+            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT ==
+            github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref
+            != 'refs/heads/main' && (github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository) &&
+            !contains(github.event.head_commit.message, 'skip fix')
+        uses: stefanzweifel/git-auto-commit-action@v4
+        with:
+          branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+          commit_message: "[MegaLinter] Apply linters fixes"
+          commit_user_name: egibot
+          commit_user_email: egibot@egi.eu
diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
index 79a299bde0..f972f437a5 100644
--- a/.github/workflows/spelling.yml
+++ b/.github/workflows/spelling.yml
@@ -74,6 +74,8 @@ on:
     types:
       - "created"
 
+permissions: read-all
+
 jobs:
   spelling:
     name: Check Spelling
diff --git a/.lycheeignore b/.lycheeignore
new file mode 100644
index 0000000000..582d7a270a
--- /dev/null
+++ b/.lycheeignore
@@ -0,0 +1,2 @@
+https://docs.egi.eu/documentation/*
+https://megalinter.io/*