diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bb013b7..5332dfb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -69,12 +69,15 @@ jobs:
   security_audit:
     name: Security Audit
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
       - uses: rustsec/audit-check@v1.4.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          ignore: RUSTSEC-2024-0364
+          ignore: RUSTSEC-2024-0364,RUSTSEC-2024-0436
 
   coverage:
     name: Code Coverage
diff --git a/deny.toml b/deny.toml
index 127c971..cfeee2e 100644
--- a/deny.toml
+++ b/deny.toml
@@ -82,6 +82,7 @@ feature-depth = 1
 # output a note when they are encountered.
 ignore = [
   "RUSTSEC-2024-0364", # gitoxide-core does not neutralize special characters for terminals. No patched version available.
+  "RUSTSEC-2024-0436", # paste is unmaintained; it is a transitive dependency via rustls-ffi -> macro_rules_attribute and has no patched version or security impact.
   # "RUSTSEC-0000-0000",
   # { id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
   # "a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish