diff --git a/.github/workflows/check_amalgamation.yml b/.github/workflows/check_amalgamation.yml
index 113dc1d02..032a5d6ed 100644
--- a/.github/workflows/check_amalgamation.yml
+++ b/.github/workflows/check_amalgamation.yml
@@ -3,6 +3,9 @@ name: "Check amalgamation"
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   save:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index e0caf58c0..d82d0b569 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,6 +1,9 @@
 name: CIFuzz
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 7b88dd380..6af859d61 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
 
diff --git a/.github/workflows/comment_check_amalgamation.yml b/.github/workflows/comment_check_amalgamation.yml
index cba876976..edbece45b 100644
--- a/.github/workflows/comment_check_amalgamation.yml
+++ b/.github/workflows/comment_check_amalgamation.yml
@@ -5,6 +5,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   comment:
     if: ${{ github.event.workflow_run.conclusion == 'failure' }}
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index f5bc333f8..21a469b13 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -9,6 +9,9 @@
 name: 'Dependency Review'
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 08568c076..0898980e4 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   label:
     permissions:
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index ec30efc5a..4a22a5baa 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 # macos-11 is deprecated
 #  macos-11:
diff --git a/.github/workflows/publish_documentation.yml b/.github/workflows/publish_documentation.yml
index 09127aefe..c6b56a537 100644
--- a/.github/workflows/publish_documentation.yml
+++ b/.github/workflows/publish_documentation.yml
@@ -15,6 +15,9 @@ concurrency:
   group: documentation
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   publish_documentation:
     permissions:
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index c4ef2e35f..4c88cc309 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -14,6 +14,9 @@ on:
   push:
     branches: ["develop"]
 
+permissions:
+  contents: read
+
 jobs:
   analysis:
     name: Scorecard analysis