diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 3e476ffe..39e1574d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: macos-15
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index faf5708f..7ef837bf 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -2,6 +2,9 @@ name: "E2E Pipeline for CDK Observability Accelerator"
 on:
   issue_comment:
     types: [created]
+permissions:
+  statuses: write
+
 jobs:
   checkPermissions:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/markdown-link-check.yaml b/.github/workflows/markdown-link-check.yaml
index 7d2a2f19..73797673 100644
--- a/.github/workflows/markdown-link-check.yaml
+++ b/.github/workflows/markdown-link-check.yaml
@@ -13,6 +13,9 @@ on:
     paths:
       - "**/*.md"
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest