diff --git a/.github/workflows/code-verify.yml b/.github/workflows/code-verify.yml
index 199b771..8cd40cf 100644
--- a/.github/workflows/code-verify.yml
+++ b/.github/workflows/code-verify.yml
@@ -2,6 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Static code analysis and unit testing
+permissions:
+  contents: read
+
 on:
   push:
     paths-ignore: 
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 47dfbee..7167a66 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: E2E tests
+permissions:
+  contents: read
 
 on:
   pull_request:
diff --git a/controllers/redis_manager.go b/controllers/redis_manager.go
index 8eddf94..569089f 100644
--- a/controllers/redis_manager.go
+++ b/controllers/redis_manager.go
@@ -379,6 +379,11 @@ func (r *RedkeyClusterReconciler) doSlowUpgradeResharding(ctx context.Context, r
 
 	// RollingUpdate
 	r.logInfo(redkeyCluster.NamespacedName(), "Executing partition Rolling Update", "partition", currentPartition)
+	if currentPartition < 0 || currentPartition > math.MaxInt32 {
+		err = fmt.Errorf("invalid partition index %d: must be between 0 and %d", currentPartition, int(math.MaxInt32))
+		r.logError(redkeyCluster.NamespacedName(), err, "Partition value out of int32 range")
+		return err
+	}
 	localPartition := int32(currentPartition)
 	existingStatefulSet.Spec.UpdateStrategy = v1.StatefulSetUpdateStrategy{
 		Type:          v1.RollingUpdateStatefulSetStrategyType,