diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000000..70f73c2b060
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,6 @@
+# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence, these accounts
+# will be requested for review when someone opens a pull request.
+* @aws/aws-ecs-agent
diff --git a/.github/workflows/gitsecrets.yml b/.github/workflows/gitsecrets.yml
index f01997d9c8c..6e151327525 100644
--- a/.github/workflows/gitsecrets.yml
+++ b/.github/workflows/gitsecrets.yml
@@ -2,6 +2,7 @@ name: GitSecretsScan
 
 on: [push, pull_request]
 
+permissions: read-all
 jobs:
   git-secret-check:
     name: Git Secrets Scan
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 62941cb32f4..17821d556a9 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -2,6 +2,7 @@ name: Linux
 
 on: [pull_request]
 
+permissions: read-all
 jobs:
   unit-tests:
     name: Linux unit tests
@@ -13,7 +14,15 @@ jobs:
       - name: get GO_VERSION
         run:  |
           cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent
-          echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV
+          set -eou pipefail
+          go_version=$(cat -e GO_VERSION)
+          go_version=${go_version%?}
+          go_version_re="^(\d+\.)?(\d+\.)?(\*|\d+)$"
+          if ! [[ $go_version =~ $go_version_re ]] ; then
+            echo "invalid GO version"
+            exit 1
+          fi
+          echo "::set-output name=GO_VERSION::$go_version"
       - uses: actions/setup-go@v2
         with:
           go-version: ${{ env.GO_VERSION }}
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
index 776e47a68cb..008179750d7 100644
--- a/.github/workflows/static.yml
+++ b/.github/workflows/static.yml
@@ -2,6 +2,7 @@ name: Static Checks
 
 on: [push, pull_request]
 
+permissions: read-all
 jobs:
   static-check:
     name: Static Analysis
@@ -13,7 +14,15 @@ jobs:
       - name: get GO_VERSION
         run:  |
           cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent
-          echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV
+          set -eou pipefail
+          go_version=$(cat -e GO_VERSION)
+          go_version=${go_version%?}
+          go_version_re="^(\d+\.)?(\d+\.)?(\*|\d+)$"
+          if ! [[ $go_version =~ $go_version_re ]] ; then
+            echo "invalid GO version"
+            exit 1
+          fi
+          echo "::set-output name=GO_VERSION::$go_version"
       - uses: actions/setup-go@v2
         with:
           go-version: ${{ env.GO_VERSION }}
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 5f96bef035e..14a438f0e88 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -2,6 +2,7 @@ name: Windows
 
 on: [pull_request]
 
+permissions: read-all
 jobs:
   windows-unit-tests:
     name: Windows unit tests
@@ -14,7 +15,13 @@ jobs:
         run:  |
           cd "$Env:GITHUB_WORKSPACE"
           cd "src/github.com/aws/amazon-ecs-agent"
-          echo "GO_VERSION_WINDOWS=$(type GO_VERSION_WINDOWS)" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          $go_version_win = $(type GO_VERSION_WINDOWS)
+          $go_version_re = "^(\d+\.)?(\d+\.)?(\*|\d+)$"
+          if ($go_version_win -match $go_version_re) {
+            echo "invalid GO version"
+            exit 1
+          }
+          Write-Output "::set-output name=GO_VERSION_WINDOWS::$go_version_win"
       - uses: actions/setup-go@v2
         with:
           go-version: ${{ env.GO_VERSION_WINDOWS }}