diff --git a/.github/workflows/build-docker-meta.yml b/.github/workflows/build-docker-meta.yml
index 87a61bc..e179993 100644
--- a/.github/workflows/build-docker-meta.yml
+++ b/.github/workflows/build-docker-meta.yml
@@ -13,6 +13,9 @@ on:
         required: true
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   build-docker:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index de1d9f8..3945b6c 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -13,6 +13,10 @@ on:
       - "docker/**"
   workflow_dispatch:
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   generate-matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docs-mkdocs.yml b/.github/workflows/docs-mkdocs.yml
index 4a926ef..767b21c 100644
--- a/.github/workflows/docs-mkdocs.yml
+++ b/.github/workflows/docs-mkdocs.yml
@@ -13,6 +13,11 @@ on:
       - .github/workflows/docs-mkdocs.yml
       - mkdocs.yml
 
+permissions:
+  contents: write
+  pull-requests: write
+  pages: write
+
 jobs:
   mkdocs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index d643f5c..74a9a61 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -12,6 +12,11 @@ on:
         type: string
         default: ""
 
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
 jobs:
   draft-release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 38dfaca..ea4eb4d 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -9,6 +9,10 @@ on:
   pull_request:
     branches-ignore: []
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   dryrun-lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
index e0e21eb..f87a779 100644
--- a/.github/workflows/post-release.yml
+++ b/.github/workflows/post-release.yml
@@ -5,6 +5,11 @@ on:
     types:
       - published
 
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/techdev-project.yml b/.github/workflows/techdev-project.yml
index e33449f..e9e7350 100644
--- a/.github/workflows/techdev-project.yml
+++ b/.github/workflows/techdev-project.yml
@@ -8,6 +8,9 @@ on:
     types:
       - opened
 
+permissions:
+  issues: read
+
 jobs:
   add-to-project:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/user-projects.yml b/.github/workflows/user-projects.yml
index abcb542..41a6b52 100644
--- a/.github/workflows/user-projects.yml
+++ b/.github/workflows/user-projects.yml
@@ -8,6 +8,11 @@ on:
     types:
       - assigned
 
+permissions:
+  issues: read
+  pull-requests: read
+  contents: read
+
 jobs:
   add-to-project:
     uses: CCBR/.github/.github/workflows/auto-add-user-project.yml@v0.1.0