diff --git a/.github/workflows/cd-pypi.yaml b/.github/workflows/cd-pypi.yaml
index 6b046b99d4..f1a8aa8d6f 100644
--- a/.github/workflows/cd-pypi.yaml
+++ b/.github/workflows/cd-pypi.yaml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cd-release.yaml b/.github/workflows/cd-release.yaml
index 166539e6ec..ffe1264581 100644
--- a/.github/workflows/cd-release.yaml
+++ b/.github/workflows/cd-release.yaml
@@ -4,6 +4,9 @@ on:
     tags:
       - "v1*"
 
+permissions:
+  contents: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci-branch.yaml b/.github/workflows/ci-branch.yaml
index 5062b53e2f..f51d6d4eed 100644
--- a/.github/workflows/ci-branch.yaml
+++ b/.github/workflows/ci-branch.yaml
@@ -2,6 +2,9 @@ name: "[CI] Test branch"
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   unitlint:
     if: github.repository == 'aws-cloudformation/cfn-lint' && github.ref_name == 'main'
diff --git a/.github/workflows/ci-pr-data.yaml b/.github/workflows/ci-pr-data.yaml
index 4148d8835d..232f2b2c16 100644
--- a/.github/workflows/ci-pr-data.yaml
+++ b/.github/workflows/ci-pr-data.yaml
@@ -5,6 +5,9 @@ on:
     paths:
     - "src/cfnlint/data/**"
 
+permissions:
+  contents: read
+
 jobs:
   data:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci-pr.yaml b/.github/workflows/ci-pr.yaml
index a6ff277d1c..6b1553ffed 100644
--- a/.github/workflows/ci-pr.yaml
+++ b/.github/workflows/ci-pr.yaml
@@ -2,6 +2,9 @@ name: "[CI] Test PR"
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   unitlint:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/maintenance-v1.yaml b/.github/workflows/maintenance-v1.yaml
index e043d600fe..0ce84c455c 100644
--- a/.github/workflows/maintenance-v1.yaml
+++ b/.github/workflows/maintenance-v1.yaml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: "0 8,20 * * *"
   workflow_dispatch: # Enables on-demand/manual triggering: https://docs.github.com/en/free-pro-team@latest/actions/managing-workflow-runs/manually-running-a-workflow
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   job:
     runs-on: ubuntu-latest