diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index d0325b382..5d780649a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/maven_release.yml b/.github/workflows/maven_release.yml
index c5ad886ff..fa4d699a0 100644
--- a/.github/workflows/maven_release.yml
+++ b/.github/workflows/maven_release.yml
@@ -5,6 +5,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-latest-jdbc-wrapper-release-to-maven:
     name: 'Build And Release to Maven'
diff --git a/.github/workflows/maven_snapshot.yml b/.github/workflows/maven_snapshot.yml
index fda0edcd3..cde9b6337 100644
--- a/.github/workflows/maven_snapshot.yml
+++ b/.github/workflows/maven_snapshot.yml
@@ -6,6 +6,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-latest-jdbc-wrapper-snapshot-to-maven:
     name: 'Build And Upload Snapshot to Maven'
diff --git a/.github/workflows/remove-old-artifacts.yml b/.github/workflows/remove-old-artifacts.yml
index 60e2408d3..0a1d96058 100644
--- a/.github/workflows/remove-old-artifacts.yml
+++ b/.github/workflows/remove-old-artifacts.yml
@@ -5,6 +5,9 @@ on:
     # Every day at 1am
     - cron: '0 1 * * *'
 
+permissions:
+  actions: write
+
 jobs:
   remove-old-artifacts:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-hibernate-orm-tests.yml b/.github/workflows/run-hibernate-orm-tests.yml
index c6fc6d948..e1138a27f 100644
--- a/.github/workflows/run-hibernate-orm-tests.yml
+++ b/.github/workflows/run-hibernate-orm-tests.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   hibernate-integration-tests:
     name: 'Run Hibernate ORM integration tests'
diff --git a/.github/workflows/run-standard-integration-tests.yml b/.github/workflows/run-standard-integration-tests.yml
index 1471e55da..43309463f 100644
--- a/.github/workflows/run-standard-integration-tests.yml
+++ b/.github/workflows/run-standard-integration-tests.yml
@@ -12,6 +12,9 @@ on:
       - '**/release_draft.yml'
       - '**/maven*.yml'
 
+permissions:
+  contents: read
+
 jobs:
   standard-integration-tests:
     name: 'Run standard container integration tests'