diff --git a/knowledge-base/actions/actions/add-to-project/action-security.yml b/knowledge-base/actions/actions/add-to-project/action-security.yml
new file mode 100644
index 00000000..6dc15d8a
--- /dev/null
+++ b/knowledge-base/actions/actions/add-to-project/action-security.yml
@@ -0,0 +1,8 @@
+name: Add To GitHub projects
+github-token:
+  action-input:
+    input: github-token
+    is-default: false
+  permissions:
+    repository-projects: write
+    repository-projects-reason: to assign issues and PRs to repo project
diff --git a/knowledge-base/actions/actions/delete-package-versions/action-security.yml b/knowledge-base/actions/actions/delete-package-versions/action-security.yml
new file mode 100644
index 00000000..0a498601
--- /dev/null
+++ b/knowledge-base/actions/actions/delete-package-versions/action-security.yml
@@ -0,0 +1,8 @@
+name: Delete Package Versions
+github-token:
+  action-input:
+    input: token
+    is-default: true
+  permissions:
+    packages: write
+    packages-reason: to delete packages
diff --git a/knowledge-base/actions/arduino/setup-protoc/action-security.yml b/knowledge-base/actions/arduino/setup-protoc/action-security.yml
new file mode 100644
index 00000000..d469d689
--- /dev/null
+++ b/knowledge-base/actions/arduino/setup-protoc/action-security.yml
@@ -0,0 +1,2 @@
+name: 'Setup protoc'
+# GITHUB_TOKEN only used to prevent throttling
diff --git a/knowledge-base/actions/changesets/action/action-security.yml b/knowledge-base/actions/changesets/action/action-security.yml
new file mode 100644
index 00000000..91e20bd6
--- /dev/null
+++ b/knowledge-base/actions/changesets/action/action-security.yml
@@ -0,0 +1,8 @@
+name: Changesets
+github-token:
+  environment-variable-name: GITHUB_TOKEN
+  permissions:
+    pull-requests: write
+    pull-requests-reason: to create PRs # https://github.com/changesets/action/issues/220#issuecomment-1272514354
+    contents: write
+    contents-reason: to push to the repo # https://github.com/changesets/action/issues/220#issuecomment-1272514354
diff --git a/knowledge-base/actions/codfish/semantic-release-action/action-security.yml b/knowledge-base/actions/codfish/semantic-release-action/action-security.yml
new file mode 100644
index 00000000..59938e98
--- /dev/null
+++ b/knowledge-base/actions/codfish/semantic-release-action/action-security.yml
@@ -0,0 +1,7 @@
+name: 'Semantic Release Action'
+github-token:
+  environment-variable-name: GITHUB_TOKEN
+  is-default: false
+  permissions:
+    contents: write
+    contents-reason: to create release tags
diff --git a/knowledge-base/actions/isbang/setup-awscli/action-security.yml b/knowledge-base/actions/isbang/setup-awscli/action-security.yml
new file mode 100644
index 00000000..7784fbd7
--- /dev/null
+++ b/knowledge-base/actions/isbang/setup-awscli/action-security.yml
@@ -0,0 +1,2 @@
+name: 'Setup AWS cli' # isbang/setup-awscli
+# GITHUB_TOKEN not used
diff --git a/knowledge-base/actions/peaceiris/actions-mdbook/action-security.yml b/knowledge-base/actions/peaceiris/actions-mdbook/action-security.yml
new file mode 100644
index 00000000..f59b1334
--- /dev/null
+++ b/knowledge-base/actions/peaceiris/actions-mdbook/action-security.yml
@@ -0,0 +1,2 @@
+name: 'mdBook Action'
+# GITHUB_TOKEN not used
diff --git a/knowledge-base/actions/roryprimrose/set-vs-sdk-project-version/action-security.yml b/knowledge-base/actions/roryprimrose/set-vs-sdk-project-version/action-security.yml
new file mode 100644
index 00000000..50a3b11d
--- /dev/null
+++ b/knowledge-base/actions/roryprimrose/set-vs-sdk-project-version/action-security.yml
@@ -0,0 +1,2 @@
+name: 'Version Visual Studio SDK projects' # roryprimrose/set-vs-sdk-project-version
+# GITHUB_TOKEN not used
diff --git a/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml b/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml
new file mode 100644
index 00000000..1a984d6c
--- /dev/null
+++ b/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml
@@ -0,0 +1,8 @@
+name: "Wait for secrets"
+github-token:
+  action-input:
+    input: token
+    is-default: true
+  permissions: 
+    id-token: write
+    id-token-reason: to authenticate Action to API