diff --git a/.changeset/purple-bikes-jam.md b/.changeset/purple-bikes-jam.md
new file mode 100644
index 00000000..7f13f307
--- /dev/null
+++ b/.changeset/purple-bikes-jam.md
@@ -0,0 +1,15 @@
+---
+"@codecov/astro-plugin": patch
+"@codecov/bundle-analyzer": patch
+"@codecov/bundler-plugin-core": patch
+"@codecov/nextjs-webpack-plugin": patch
+"@codecov/nuxt-plugin": patch
+"@codecov/remix-vite-plugin": patch
+"@codecov/rollup-plugin": patch
+"@codecov/solidstart-plugin": patch
+"@codecov/sveltekit-plugin": patch
+"@codecov/vite-plugin": patch
+"@codecov/webpack-plugin": patch
+---
+
+update GitHub Actions workflow permissions
diff --git a/.github/workflows/cache_cleanup.yml b/.github/workflows/cache_cleanup.yml
index d1a2fbc3..6c122f94 100644
--- a/.github/workflows/cache_cleanup.yml
+++ b/.github/workflows/cache_cleanup.yml
@@ -4,6 +4,9 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
@@ -21,7 +24,7 @@ jobs:
           echo "Fetching list of cache key"
           cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
 
-          ## Setting this to not fail the workflow while deleting cache keys. 
+          ## Setting this to not fail the workflow while deleting cache keys.
           set +e
           echo "Deleting caches..."
           for cacheKey in $cacheKeysForPR
diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml
index 86be7410..a6906675 100644
--- a/.github/workflows/enforce-license-compliance.yml
+++ b/.github/workflows/enforce-license-compliance.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [main, master]
 
+permissions:
+  contents: read
+
 jobs:
   enforce-license-compliance:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/prepare-publish.yml b/.github/workflows/prepare-publish.yml
index 91d5f243..20d06baa 100644
--- a/.github/workflows/prepare-publish.yml
+++ b/.github/workflows/prepare-publish.yml
@@ -3,6 +3,10 @@ name: Prepare Publish
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  pull-requests: write
+
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 jobs:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ffb8ae7c..6478cbea 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,6 +7,9 @@ on:
     paths:
       - "**/CHANGELOG.md"
 
+permissions:
+  contents: read
+
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 jobs:
@@ -16,7 +19,7 @@ jobs:
     # For whatever reason, yaml does not like the full "meta(changelog): Update package versions" string
     # So we check this in two parts
     if: |
-      contains(github.event.head_commit.message, 'meta(changelog)') 
+      contains(github.event.head_commit.message, 'meta(changelog)')
       && contains(github.event.head_commit.message, 'Update package versions')
     steps:
       - name: Checkout Repo
@@ -68,7 +71,7 @@ jobs:
     # For whatever reason, yaml does not like the full "meta(changelog): Update package versions" string
     # So we check this in two parts
     if: |
-      contains(github.event.head_commit.message, 'meta(changelog)') 
+      contains(github.event.head_commit.message, 'meta(changelog)')
       && contains(github.event.head_commit.message, 'Update package versions')
     steps:
       - name: Checkout Repo
diff --git a/.github/workflows/test-api-ci.yml b/.github/workflows/test-api-ci.yml
index 78eaf212..79073f18 100644
--- a/.github/workflows/test-api-ci.yml
+++ b/.github/workflows/test-api-ci.yml
@@ -5,6 +5,9 @@ on:
     paths:
       - integration-tests/test-api/**
 
+permissions:
+  content: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/test-api-push.yml b/.github/workflows/test-api-push.yml
index 5acdb085..c0fa0c93 100644
--- a/.github/workflows/test-api-push.yml
+++ b/.github/workflows/test-api-push.yml
@@ -7,6 +7,9 @@ on:
     paths:
       - integration-tests/test-api/**
 
+permissions:
+  content: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/typedoc-manual-deploy.yml b/.github/workflows/typedoc-manual-deploy.yml
index 79c869db..a6c98eb5 100644
--- a/.github/workflows/typedoc-manual-deploy.yml
+++ b/.github/workflows/typedoc-manual-deploy.yml
@@ -3,6 +3,9 @@ name: Publish TypeDocs
 on:
   workflow_dispatch:
 
+permissions:
+  content: read
+
 jobs:
   deploy_docs:
     permissions:
@@ -43,4 +46,4 @@ jobs:
         run: node scripts/publish-docs.mjs
         env:
           GIT_USERNAME: ${{ steps.import-gpg.outputs.name }}
-          GIT_EMAIL: ${{ steps.import-gpg.outputs.email }}
\ No newline at end of file
+          GIT_EMAIL: ${{ steps.import-gpg.outputs.email }}