diff --git a/.github/workflows/check-circular-deps.yml b/.github/workflows/check-circular-deps.yml
index 3c8821651f8..e2830e96174 100644
--- a/.github/workflows/check-circular-deps.yml
+++ b/.github/workflows/check-circular-deps.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [3.0*, fasttrack/*, "!fasttrack/2.0"]
 
+permissions:
+  contents: read
+
 jobs:
   spec-check:
     name: Circular dependency check
diff --git a/.github/workflows/check-clean-stage.yml b/.github/workflows/check-clean-stage.yml
index 65c6deddaad..d9a33db7f54 100644
--- a/.github/workflows/check-clean-stage.yml
+++ b/.github/workflows/check-clean-stage.yml
@@ -10,6 +10,9 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
   spec-clean-stage-check:
     name: Spec %clean stage check
diff --git a/.github/workflows/check-entangled-specs.yml b/.github/workflows/check-entangled-specs.yml
index 74beaf4a13f..0e566b911ac 100644
--- a/.github/workflows/check-entangled-specs.yml
+++ b/.github/workflows/check-entangled-specs.yml
@@ -12,6 +12,9 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Spec Entanglement Mismatch Check
diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml
index 7ecf104a9df..9393d91b77f 100644
--- a/.github/workflows/check-files.yml
+++ b/.github/workflows/check-files.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [main, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
 
   build:
diff --git a/.github/workflows/check-kernel-configs.yml b/.github/workflows/check-kernel-configs.yml
index e119b10010e..4f7c016938a 100644
--- a/.github/workflows/check-kernel-configs.yml
+++ b/.github/workflows/check-kernel-configs.yml
@@ -15,6 +15,9 @@ on:
     paths:
       - 'SPECS/kernel*/config*'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Kernel configs check
diff --git a/.github/workflows/check-license-map.yml b/.github/workflows/check-license-map.yml
index 4b5332d9c77..172e053501e 100644
--- a/.github/workflows/check-license-map.yml
+++ b/.github/workflows/check-license-map.yml
@@ -11,6 +11,9 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Spec License Map Check
diff --git a/.github/workflows/check-manifests.yml b/.github/workflows/check-manifests.yml
index e2d4aafa507..0bcd4705bed 100644
--- a/.github/workflows/check-manifests.yml
+++ b/.github/workflows/check-manifests.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Check Manifests
diff --git a/.github/workflows/check-package-builds.yml b/.github/workflows/check-package-builds.yml
index 8ffc8bea66f..ad8ee7ff449 100644
--- a/.github/workflows/check-package-builds.yml
+++ b/.github/workflows/check-package-builds.yml
@@ -28,6 +28,9 @@ on:
       - "toolkit/scripts/*"
       - "toolkit/tools/*"
 
+permissions:
+  contents: read
+
 jobs:
   package-checks:
     name: ${{ matrix.check-name }}
diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml
index 02162e16e62..0190755c2e7 100644
--- a/.github/workflows/check-package-cgmanifest.yml
+++ b/.github/workflows/check-package-cgmanifest.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
 
   build:
diff --git a/.github/workflows/check-package-update-gate.yml b/.github/workflows/check-package-update-gate.yml
index e8ed034dc58..d506a8b6b25 100644
--- a/.github/workflows/check-package-update-gate.yml
+++ b/.github/workflows/check-package-update-gate.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [main, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
 
   build:
diff --git a/.github/workflows/check-source-signatures.yml b/.github/workflows/check-source-signatures.yml
index a095c515521..a35622792a7 100644
--- a/.github/workflows/check-source-signatures.yml
+++ b/.github/workflows/check-source-signatures.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [3.0*]
 
+permissions:
+  contents: read
+
 jobs:
   spec-check:
     name: Source Signature Check
diff --git a/.github/workflows/check-spec.yml b/.github/workflows/check-spec.yml
index 65541bcfd3b..295eef4fdbc 100644
--- a/.github/workflows/check-spec.yml
+++ b/.github/workflows/check-spec.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
   spec-check:
     name: Spec files check
diff --git a/.github/workflows/check-srpm-duplicates.yml b/.github/workflows/check-srpm-duplicates.yml
index 91c1a14fa90..f31cc6c8591 100644
--- a/.github/workflows/check-srpm-duplicates.yml
+++ b/.github/workflows/check-srpm-duplicates.yml
@@ -11,6 +11,9 @@ on:
   pull_request:
     branches: [main, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: SRPMs duplicates check
diff --git a/.github/workflows/check-static-glibc.yml b/.github/workflows/check-static-glibc.yml
index 2a1a0ed2232..536aeec60bb 100644
--- a/.github/workflows/check-static-glibc.yml
+++ b/.github/workflows/check-static-glibc.yml
@@ -10,6 +10,9 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
   spec-check:
     name: Static glibc version check
diff --git a/.github/workflows/go-test-coverage.yml b/.github/workflows/go-test-coverage.yml
index 061764311d3..5840cc7f7cd 100644
--- a/.github/workflows/go-test-coverage.yml
+++ b/.github/workflows/go-test-coverage.yml
@@ -12,6 +12,9 @@ on:
 env:
   EXPECTED_GO_VERSION: "1.23"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Go Test Coverage
diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml
index c20f17d49af..7d0428888d5 100644
--- a/.github/workflows/lint-specs.yml
+++ b/.github/workflows/lint-specs.yml
@@ -13,6 +13,9 @@ on:
       - '**.spec'
     branches: [main, dev, 1.0*, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
   spec-lint:
     name: Spec Linting
diff --git a/.github/workflows/merge-conflict-check.yml b/.github/workflows/merge-conflict-check.yml
index eecd098a2e0..01f0f44d183 100644
--- a/.github/workflows/merge-conflict-check.yml
+++ b/.github/workflows/merge-conflict-check.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, 3.0*, fasttrack/*]
 
+permissions:
+  contents: read
+
 jobs:
   spec-check:
     name: Github Merge Conflict Check
diff --git a/.github/workflows/quickstart_2.0.yml b/.github/workflows/quickstart_2.0.yml
index d150d597397..9199e17e074 100644
--- a/.github/workflows/quickstart_2.0.yml
+++ b/.github/workflows/quickstart_2.0.yml
@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: "0 15 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   iso_quickstart:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/verify-osguard-imageconfigs.yml b/.github/workflows/verify-osguard-imageconfigs.yml
index c3f97b69218..ce46a6a6e8b 100644
--- a/.github/workflows/verify-osguard-imageconfigs.yml
+++ b/.github/workflows/verify-osguard-imageconfigs.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   verify-osguard-imageconfigs:
     runs-on: ubuntu-latest