diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0a26e59c6..bb1c72273 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
+      pull-requests: write
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest]
diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml
index be0a5412b..a33413d84 100644
--- a/.github/workflows/code-coverage.yml
+++ b/.github/workflows/code-coverage.yml
@@ -12,6 +12,9 @@ on:
 
 jobs:
   build-test-report:
+    permissions:
+      contents: read
+      pull-requests: write
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest]
diff --git a/.github/workflows/dco-merge-group.yml b/.github/workflows/dco-merge-group.yml
index 0241f80a8..018589ead 100644
--- a/.github/workflows/dco-merge-group.yml
+++ b/.github/workflows/dco-merge-group.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   DCO:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     if: ${{ github.actor != 'renovate[bot]' }}
     steps:
       - run: echo "dummy DCO workflow (it won't run any check actually) to trigger by merge_group in order to enable merge queue"
diff --git a/.github/workflows/dotnet-format.yml b/.github/workflows/dotnet-format.yml
index 63259de07..16799cf11 100644
--- a/.github/workflows/dotnet-format.yml
+++ b/.github/workflows/dotnet-format.yml
@@ -9,6 +9,9 @@ on:
 jobs:
   check-format:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: Check out code
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index ce4bb634e..ae0ca8391 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -13,6 +13,9 @@ on:
 jobs:
   e2e-tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
index 5dbb56887..f23079276 100644
--- a/.github/workflows/lint-pr.yml
+++ b/.github/workflows/lint-pr.yml
@@ -1,4 +1,4 @@
-name: 'Lint PR'
+name: "Lint PR"
 
 on:
   pull_request_target:
@@ -11,6 +11,9 @@ jobs:
   main:
     name: Validate PR title
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5
         env: