diff --git a/.github/workflows/ci-checks.yml b/.github/workflows/ci-checks.yml
index 4fdc1bcba5..f3b9923875 100644
--- a/.github/workflows/ci-checks.yml
+++ b/.github/workflows/ci-checks.yml
@@ -3,6 +3,9 @@ name: Checks
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   security:
     name: Security
diff --git a/.github/workflows/ci-oss.yml b/.github/workflows/ci-oss.yml
index f6f490f341..ea007b5677 100644
--- a/.github/workflows/ci-oss.yml
+++ b/.github/workflows/ci-oss.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     if: github.event.pull_request.head.repo.full_name != github.repository
diff --git a/.github/workflows/ci-saas.yml b/.github/workflows/ci-saas.yml
index f1d8875b44..aa98a8e939 100644
--- a/.github/workflows/ci-saas.yml
+++ b/.github/workflows/ci-saas.yml
@@ -3,6 +3,9 @@ name: CI (SaaS)
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   test_oss:
     name: Test (OSS)
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8b5925a13e..e62118357a 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,6 +10,9 @@ on:
       GH_TOKEN:
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Tests (${{ matrix.mode }})