diff --git a/.github/actions/ci-cli-coverage-merge/action.yaml b/.github/actions/ci-cli-coverage-merge/action.yaml
index a03e5df6c7..1b8bfc3095 100644
--- a/.github/actions/ci-cli-coverage-merge/action.yaml
+++ b/.github/actions/ci-cli-coverage-merge/action.yaml
@@ -84,6 +84,7 @@ runs:
           --coverage \
           --coverage.reporter=text-summary \
           --coverage.reporter=json-summary \
+          --coverage.reporter=cobertura \
           --coverage.reportsDirectory=coverage/cli \
           --coverage.include="bin/**/*.js" \
           --coverage.include="dist/lib/**/*.js" \
@@ -91,6 +92,14 @@ runs:
           --coverage.exclude="test/**/*.ts"
         npx tsx scripts/check-coverage-ratchet.ts coverage/cli/coverage-summary.json ci/coverage-threshold-cli.json "CLI coverage"
 
+    - name: Upload CLI coverage report
+      if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+      uses: actions/upload-code-coverage@abb5995db9e0199b0e2bb9dbd136fce4cb1ec4d3 # v1
+      with:
+        file: coverage/cli/cobertura-coverage.xml
+        language: TypeScript
+        label: code-coverage/cli
+
     - name: Upload CLI Vitest timing report
       if: always()
       uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
diff --git a/.github/actions/ci-plugin-coverage/action.yaml b/.github/actions/ci-plugin-coverage/action.yaml
index 6211d38f2b..2a93f8ed9d 100644
--- a/.github/actions/ci-plugin-coverage/action.yaml
+++ b/.github/actions/ci-plugin-coverage/action.yaml
@@ -26,7 +26,16 @@ runs:
           --coverage \
           --coverage.reporter=text-summary \
           --coverage.reporter=json-summary \
+          --coverage.reporter=cobertura \
           --coverage.reportsDirectory=coverage/plugin \
           --coverage.include="nemoclaw/src/**/*.ts" \
           --coverage.exclude="**/*.test.ts"
         npx tsx scripts/check-coverage-ratchet.ts coverage/plugin/coverage-summary.json ci/coverage-threshold-plugin.json "Plugin coverage"
+
+    - name: Upload plugin coverage report
+      if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+      uses: actions/upload-code-coverage@abb5995db9e0199b0e2bb9dbd136fce4cb1ec4d3 # v1
+      with:
+        file: coverage/plugin/cobertura-coverage.xml
+        language: TypeScript
+        label: code-coverage/plugin
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 7946d39994..0d0a67c64e 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -79,6 +79,11 @@ jobs:
   cli-tests:
     needs: cli-test-shards
     if: ${{ always() }}
+    permissions:
+      actions: read
+      code-quality: write
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
@@ -102,6 +107,10 @@ jobs:
           shard-count: "5"
 
   plugin-tests:
+    permissions:
+      code-quality: write
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 545a4ddbaf..5faaf546f9 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -233,6 +233,11 @@ jobs:
       - changes
       - cli-test-shards
     if: ${{ always() && needs.changes.outputs.code == 'true' }}
+    permissions:
+      actions: read
+      code-quality: write
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
@@ -273,6 +278,10 @@ jobs:
   plugin-tests:
     needs: changes
     if: needs.changes.outputs.code == 'true'
+    permissions:
+      code-quality: write
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps: