diff --git a/.github/workflows/cov.yaml b/.github/workflows/cov.yaml
index 080496e4daf..2e359b7583e 100644
--- a/.github/workflows/cov.yaml
+++ b/.github/workflows/cov.yaml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "40 4 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   nightly_coverage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/long-tests.yaml b/.github/workflows/long-tests.yaml
index 50e62fc41c2..b5ed18534c7 100644
--- a/.github/workflows/long-tests.yaml
+++ b/.github/workflows/long-tests.yaml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron: "30 12 * * *"
 
+permissions:
+  contents: read
+
 concurrency:
   # At most one of these workflow per ref running
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/mqtt-test.yaml b/.github/workflows/mqtt-test.yaml
index 4267967b222..b693cc62fb7 100644
--- a/.github/workflows/mqtt-test.yaml
+++ b/.github/workflows/mqtt-test.yaml
@@ -1,6 +1,9 @@
 name: MQTT External Tests
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     env:
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index c2c74d2801f..f93a6094b04 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -10,9 +10,14 @@ on:
   schedule:
     - cron: "40 4 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   run:
     runs-on: ${{ vars.GHA_WORKER_RELEASE || 'ubuntu-latest' }}
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 30f569ee3dc..eef8928c6ec 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,12 +5,14 @@ on:
       - v*
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   run:
     name: GitHub Release
     runs-on: ${{ vars.GHA_WORKER_RELEASE || 'ubuntu-latest' }}
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 5d5ba62457b..de40596e7a2 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   RACE: ${{ (github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/heads/release/') && github.event_name != 'pull_request') && '-race' || '' }}