diff --git a/.github/workflows/ast-grep.yml b/.github/workflows/ast-grep.yml
index b1e2e660285..9a51819d772 100644
--- a/.github/workflows/ast-grep.yml
+++ b/.github/workflows/ast-grep.yml
@@ -10,6 +10,9 @@ on:
       # globs for files that we want to check with ast-grep here
       - '**/*.lua'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d71adeb8341..8ff37d7fd89 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,6 +10,9 @@ on:
         description: 'Computed cache key, used for restoring cache in other workflows'
         value: ${{ jobs.build.outputs.cache-key }}
 
+permissions:
+  contents: read
+
 env:
   BUILD_ROOT: ${{ github.workspace }}/${{ inputs.relative-build-root }}
 
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index bc03b233d38..222b2226d6f 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -28,6 +28,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 # cancel previous runs if new commits are pushed to the PR, but run for each commit on master
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/buildifier.yml b/.github/workflows/buildifier.yml
index 85d3aaab0c2..8efead3e9da 100644
--- a/.github/workflows/buildifier.yml
+++ b/.github/workflows/buildifier.yml
@@ -17,6 +17,9 @@ on:
     - master
     - release/*
 
+permissions:
+  contents: read
+
 jobs:
 
   autoformat:
diff --git a/.github/workflows/changelog-requirement.yml b/.github/workflows/changelog-requirement.yml
index 89a5eeb3561..58de4e2a30a 100644
--- a/.github/workflows/changelog-requirement.yml
+++ b/.github/workflows/changelog-requirement.yml
@@ -9,6 +9,9 @@ on:
       - '.requirements'
       - 'changelog/**'
 
+permissions:
+  contents: read
+
 jobs:
   require-changelog:
     if: ${{ !contains(github.event.*.labels.*.name, 'skip-changelog') }}
diff --git a/.github/workflows/changelog-validation.yml b/.github/workflows/changelog-validation.yml
index 6796acedc6d..ae20fcdf062 100644
--- a/.github/workflows/changelog-validation.yml
+++ b/.github/workflows/changelog-validation.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [ opened, synchronize ]
 
+permissions:
+  contents: read
+
 jobs:
   validate-changelog:
     name: Validate changelog
diff --git a/.github/workflows/copyright-check.yml b/.github/workflows/copyright-check.yml
index 3459f669077..384145b7773 100644
--- a/.github/workflows/copyright-check.yml
+++ b/.github/workflows/copyright-check.yml
@@ -3,6 +3,9 @@ name: Detect Unexpected EE Changes
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}