diff --git a/.github/workflows/buf-lint.yml b/.github/workflows/buf-lint.yml
index 37756adbfd..bb5d78e5e7 100644
--- a/.github/workflows/buf-lint.yml
+++ b/.github/workflows/buf-lint.yml
@@ -4,6 +4,9 @@ on:
     paths:
       - ".github/workflows/buf-lint.yml"
       - "**.proto"
+permissions:
+  contents: read
+
 jobs:
   buf:
     name: lint
diff --git a/.github/workflows/buf.yml b/.github/workflows/buf.yml
index 4fe8c86b3e..ee06981e0f 100644
--- a/.github/workflows/buf.yml
+++ b/.github/workflows/buf.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: read
+
 jobs:
   buf:
     name: lint and publish
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 01075f0c22..298c0701af 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "26 14 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/funcbench.yml b/.github/workflows/funcbench.yml
index 6583aa95b9..0826bcabe4 100644
--- a/.github/workflows/funcbench.yml
+++ b/.github/workflows/funcbench.yml
@@ -2,6 +2,9 @@ on:
   repository_dispatch:
     types: [funcbench_start]
 name: Funcbench Workflow
+permissions:
+  contents: read
+
 jobs:
   run_funcbench:
     name: Running funcbench
diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
index 87c40d3105..d0751f2fb6 100644
--- a/.github/workflows/fuzzing.yml
+++ b/.github/workflows/fuzzing.yml
@@ -1,6 +1,9 @@
 name: CIFuzz
 on:
   workflow_call:
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/repo_sync.yml b/.github/workflows/repo_sync.yml
index ca8197878c..392d801b0e 100644
--- a/.github/workflows/repo_sync.yml
+++ b/.github/workflows/repo_sync.yml
@@ -2,6 +2,9 @@
 on:
   schedule:
     - cron: '44 17 * * *'
+permissions:
+  contents: read
+
 jobs:
   repo_sync:
     runs-on: ubuntu-latest