diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 899ff07c57..0827627128 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -9,6 +9,9 @@ env:
   CACHE_VERSION: 31
   DEFAULT_PYTHON: "3.11"
 
+permissions:
+  contents: read
+
 jobs:
   check-changelog:
     if: contains(github.event.pull_request.labels.*.name, 'skip news :mute:') != true
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index d4cf004e2e..4105648921 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   prepare-base:
     name: Prepare base dependencies
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9dbf529399..58f5c1d418 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: "44 16 * * 4"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/primer-test.yaml b/.github/workflows/primer-test.yaml
index 7ac7720ce9..63fbc0ee0f 100644
--- a/.github/workflows/primer-test.yaml
+++ b/.github/workflows/primer-test.yaml
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   prepare-tests-linux:
     name: prepare / ${{ matrix.python-version }} / Linux
diff --git a/.github/workflows/primer_run_main.yaml b/.github/workflows/primer_run_main.yaml
index f6e1cab624..baa21fc998 100644
--- a/.github/workflows/primer_run_main.yaml
+++ b/.github/workflows/primer_run_main.yaml
@@ -18,6 +18,9 @@ env:
   # This needs to be the SAME as in the PR and comment job
   CACHE_VERSION: 31
 
+permissions:
+  contents: read
+
 jobs:
   run-primer:
     name: Run / ${{ matrix.python-version }}
diff --git a/.github/workflows/primer_run_pr.yaml b/.github/workflows/primer_run_pr.yaml
index 3843038f75..1bd099f386 100644
--- a/.github/workflows/primer_run_pr.yaml
+++ b/.github/workflows/primer_run_pr.yaml
@@ -27,6 +27,9 @@ env:
   # This needs to be the SAME as in the Main and comment job
   CACHE_VERSION: 31
 
+permissions:
+  contents: read
+
 jobs:
   run-primer:
     name: Run / ${{ matrix.python-version }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fdbfc9e00f..57529a54cc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,9 @@ on:
 env:
   DEFAULT_PYTHON: "3.11"
 
+permissions:
+  contents: read
+
 jobs:
   release-pypi:
     name: Upload release to PyPI
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index c1feb4d317..5dd5dda935 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -12,6 +12,9 @@ on:
 env:
   CACHE_VERSION: 31
 
+permissions:
+  contents: read
+
 jobs:
   tests-linux:
     name: run / ${{ matrix.python-version }} / Linux