diff --git a/.github/workflows/ci-cleanup.yml b/.github/workflows/ci-cleanup.yml
index 4c67abc47d5..f8f65333603 100644
--- a/.github/workflows/ci-cleanup.yml
+++ b/.github/workflows/ci-cleanup.yml
@@ -8,6 +8,9 @@ on:
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:
       - name: Check out code
         uses: actions/checkout@v6
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1589fcf4523..cae156eb66c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ci-new-2-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-changes:
     name: Check for Changes
@@ -276,6 +279,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: check-changes
     if: needs.check-changes.outputs.src_changes == 'true'
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v6
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 967465861d8..1aa649abdd1 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -12,6 +12,9 @@ concurrency:
   group: main-coverage
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   configure:
     name: Generate Test Matrix
diff --git a/.github/workflows/publish-website.yml b/.github/workflows/publish-website.yml
index b1b651b401b..88ae1afc631 100644
--- a/.github/workflows/publish-website.yml
+++ b/.github/workflows/publish-website.yml
@@ -10,6 +10,9 @@ on:
       - .docker/website/**
       - website/**
 
+permissions:
+  contents: read
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest