diff --git a/.github/workflows/codecov_code_coverage.yml b/.github/workflows/codecov_code_coverage.yml
index 4e12253b..c76f6a60 100644
--- a/.github/workflows/codecov_code_coverage.yml
+++ b/.github/workflows/codecov_code_coverage.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - 'main'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/notify_pull_request.yml b/.github/workflows/notify_pull_request.yml
index 419f4a8f..c4c7cda1 100644
--- a/.github/workflows/notify_pull_request.yml
+++ b/.github/workflows/notify_pull_request.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, ready_for_review, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   notify:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/notify_release.yml b/.github/workflows/notify_release.yml
index b2544dac..4a46a128 100644
--- a/.github/workflows/notify_release.yml
+++ b/.github/workflows/notify_release.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [created, published]
 
+permissions:
+  contents: read
+
 jobs:
   notify:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml
index 1c9ab02f..fc4a193b 100644
--- a/.github/workflows/release_pr.yml
+++ b/.github/workflows/release_pr.yml
@@ -17,6 +17,10 @@ env:
   GIT_USER_NAME: amplify-android-dev+ghops
   GIT_USER_EMAIL: amplify-android-dev+ghops@amazon.com
   BASE_BRANCH: ${{ github.ref_name }}
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   create_pr_for_next_release:
     runs-on: ubuntu-latest