diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index 8f53537..beb4084 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -14,6 +14,12 @@ on:
     paths:
       - .github/workflows/**
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   actionlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/conflibot.yml b/.github/workflows/conflibot.yml
new file mode 100644
index 0000000..e5b4d1e
--- /dev/null
+++ b/.github/workflows/conflibot.yml
@@ -0,0 +1,31 @@
+name: Check pull requests for conflicts
+
+on:
+  pull_request_target:
+    types: [ opened, synchronize, reopened ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  conflibot:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: wktk/conflibot@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exclude: ""
diff --git a/.github/workflows/metacheck.yml b/.github/workflows/metacheck.yml
index fa74484..9330037 100644
--- a/.github/workflows/metacheck.yml
+++ b/.github/workflows/metacheck.yml
@@ -10,6 +10,12 @@ on:
   pull_request:
     types: [ opened, synchronize, reopened ]  # Same as default
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   meta-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml
index 0209cde..845533e 100644
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@@ -22,6 +22,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.inputs.runner }}
   cancel-in-progress: true
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   test:
     if: github.event.pull_request.head.repo.fork == false # Skip on public fork, because can not read secrets.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index de09cee..4b53496 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,6 +22,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   test:
     if: github.event.pull_request.head.repo.fork == false # Skip on public fork, because can not read secrets.