diff --git a/.github/workflows/ci-devel.yml b/.github/workflows/ci-devel.yml
index 34c88a2ec4..57365fc0de 100644
--- a/.github/workflows/ci-devel.yml
+++ b/.github/workflows/ci-devel.yml
@@ -1,5 +1,8 @@
 name: CI - Devel scripts
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/ci-doc-check.yml b/.github/workflows/ci-doc-check.yml
index 6d31206a62..49acb9ae0f 100644
--- a/.github/workflows/ci-doc-check.yml
+++ b/.github/workflows/ci-doc-check.yml
@@ -1,5 +1,8 @@
 name: "CI - Documentation Check"
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/ci-integration-tests.yml b/.github/workflows/ci-integration-tests.yml
index 67bae93e6b..46129f3efd 100644
--- a/.github/workflows/ci-integration-tests.yml
+++ b/.github/workflows/ci-integration-tests.yml
@@ -1,5 +1,8 @@
 name: "CI - Integration Tests"
 
+permissions:
+  contents: read
+
 on:
   schedule:
     # at 9:45 UTC every day from Monday to Friday
diff --git a/.github/workflows/ci-live.yml b/.github/workflows/ci-live.yml
index b20a0874cb..ba14f2e3b7 100644
--- a/.github/workflows/ci-live.yml
+++ b/.github/workflows/ci-live.yml
@@ -1,5 +1,8 @@
 name: CI - ISO definition
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/ci-rubocop.yml b/.github/workflows/ci-rubocop.yml
index 55aa0bf125..947dbf1adc 100644
--- a/.github/workflows/ci-rubocop.yml
+++ b/.github/workflows/ci-rubocop.yml
@@ -1,5 +1,8 @@
 name: "CI - Rubocop"
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/ci-rust.yml b/.github/workflows/ci-rust.yml
index dcc1f35bf5..268fa0ce9c 100644
--- a/.github/workflows/ci-rust.yml
+++ b/.github/workflows/ci-rust.yml
@@ -1,6 +1,8 @@
 name: CI - Rust
+
 permissions:
   contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/ci-service.yml b/.github/workflows/ci-service.yml
index 63fcd141f3..bfd8a9dc5c 100644
--- a/.github/workflows/ci-service.yml
+++ b/.github/workflows/ci-service.yml
@@ -1,6 +1,8 @@
 name: CI - Service
+
 permissions:
   contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/ci-web.yml b/.github/workflows/ci-web.yml
index 0dfb604941..c0ac1cbd5c 100644
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -1,6 +1,8 @@
 name: CI - Web
+
 permissions:
   contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/obs-service-shared.yml b/.github/workflows/obs-service-shared.yml
index 5c0a3ccd1e..20d21c513a 100644
--- a/.github/workflows/obs-service-shared.yml
+++ b/.github/workflows/obs-service-shared.yml
@@ -2,6 +2,9 @@
 
 name: Update OBS Service Package
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     secrets:
diff --git a/.github/workflows/obs-staging-autoinstallation.yml b/.github/workflows/obs-staging-autoinstallation.yml
index d9c8f15f3f..4728b0b2be 100644
--- a/.github/workflows/obs-staging-autoinstallation.yml
+++ b/.github/workflows/obs-staging-autoinstallation.yml
@@ -1,5 +1,8 @@
 name: Submit agama-auto
 
+permissions:
+  contents: read
+
 on:
   # runs on pushes targeting the default branch
   push:
diff --git a/.github/workflows/obs-staging-live.yml b/.github/workflows/obs-staging-live.yml
index e0eb7ed708..19d19fec6e 100644
--- a/.github/workflows/obs-staging-live.yml
+++ b/.github/workflows/obs-staging-live.yml
@@ -1,5 +1,8 @@
 name: Submit agama-installer
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/obs-staging-products.yml b/.github/workflows/obs-staging-products.yml
index 95743e56b9..21a2d5e84b 100644
--- a/.github/workflows/obs-staging-products.yml
+++ b/.github/workflows/obs-staging-products.yml
@@ -1,5 +1,8 @@
 name: Submit agama-products
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/obs-staging-rust.yml b/.github/workflows/obs-staging-rust.yml
index 7f8fd25f2c..8bb587e4bb 100644
--- a/.github/workflows/obs-staging-rust.yml
+++ b/.github/workflows/obs-staging-rust.yml
@@ -1,5 +1,8 @@
 name: Submit agama
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/obs-staging-service.yml b/.github/workflows/obs-staging-service.yml
index 9679811807..4c6d033a63 100644
--- a/.github/workflows/obs-staging-service.yml
+++ b/.github/workflows/obs-staging-service.yml
@@ -1,5 +1,8 @@
 name: Submit rubygem-agama-yast
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/obs-staging-shared.yml b/.github/workflows/obs-staging-shared.yml
index e3cfade8aa..e300d1779c 100644
--- a/.github/workflows/obs-staging-shared.yml
+++ b/.github/workflows/obs-staging-shared.yml
@@ -2,6 +2,9 @@
 
 name: Update OBS Packages
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     secrets:
diff --git a/.github/workflows/obs-staging-web.yml b/.github/workflows/obs-staging-web.yml
index b457caca32..9efe96ded4 100644
--- a/.github/workflows/obs-staging-web.yml
+++ b/.github/workflows/obs-staging-web.yml
@@ -1,5 +1,8 @@
 name: Submit agama-web-ui
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/weblate-merge-po.yml b/.github/workflows/weblate-merge-po.yml
index be5b247920..5749986a4c 100644
--- a/.github/workflows/weblate-merge-po.yml
+++ b/.github/workflows/weblate-merge-po.yml
@@ -1,5 +1,10 @@
 name: Weblate Merge PO
 
+permissions:
+  # it merges the updated translations and creates a pull request with the changes
+  contents: write
+  pull-requests: write
+
 on:
   schedule:
     # run every Monday at 2:42AM UTC
diff --git a/.github/workflows/weblate-merge-products-po.yml b/.github/workflows/weblate-merge-products-po.yml
index 322c338909..d13078ccc9 100644
--- a/.github/workflows/weblate-merge-products-po.yml
+++ b/.github/workflows/weblate-merge-products-po.yml
@@ -1,5 +1,10 @@
 name: Weblate Merge Product PO
 
+permissions:
+  # it merges the updated translations and creates a pull request with the changes
+  contents: write
+  pull-requests: write
+
 on:
   schedule:
     # run every Monday at 2:45AM UTC
diff --git a/.github/workflows/weblate-merge-service-po.yml b/.github/workflows/weblate-merge-service-po.yml
index 92c4d9b710..3c17dfe4b7 100644
--- a/.github/workflows/weblate-merge-service-po.yml
+++ b/.github/workflows/weblate-merge-service-po.yml
@@ -1,5 +1,10 @@
 name: Weblate Merge Service PO
 
+permissions:
+  # it merges the updated translations and creates a pull request with the changes
+  contents: write
+  pull-requests: write
+
 on:
   schedule:
     # run every Monday at 2:45AM UTC
diff --git a/.github/workflows/weblate-update-pot.yml b/.github/workflows/weblate-update-pot.yml
index 6c840b68b0..b750f9c004 100644
--- a/.github/workflows/weblate-update-pot.yml
+++ b/.github/workflows/weblate-update-pot.yml
@@ -1,5 +1,9 @@
 name: Weblate Update POT
 
+permissions:
+  # this action uploads the updated POT files to the agama-weblate repository
+  contents: write
+
 on:
   schedule:
     # run every working day (Monday-Friday) at 1:42AM UTC