diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index af72d81a0..af7896ee2 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -4,8 +4,13 @@ on:
     # Run every month on the 1st day at 08:15 AM.
     - cron: '15 8 * 1 *'
 
+permissions:
+  contents: read
+
 jobs:
   create-monthly-tag:
+    permissions:
+      contents: write # required for pushing git tags
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c8cdc6d77..7413408d3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "21 6 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze Go (${{ matrix.target_arch }})
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 354ce25c6..4db8e6bda 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -4,6 +4,8 @@ on:
     branches:
       - main
   pull_request:
+permissions:
+  contents: read
 jobs:
   codespell:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/push-docker-image.yml b/.github/workflows/push-docker-image.yml
index 93f49c61c..03449e27e 100644
--- a/.github/workflows/push-docker-image.yml
+++ b/.github/workflows/push-docker-image.yml
@@ -6,6 +6,9 @@ on:
     paths:
       - "Dockerfile"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/unit-test-on-pull-request.yml b/.github/workflows/unit-test-on-pull-request.yml
index bc68a08d4..0c7236301 100644
--- a/.github/workflows/unit-test-on-pull-request.yml
+++ b/.github/workflows/unit-test-on-pull-request.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions:
+  contents: read
+
 jobs:
   legal:
     name: Check licenses of dependencies