diff --git a/.github/workflows/allboards.yml b/.github/workflows/allboards.yml
index 6910ad05d3f..31eee587ca9 100644
--- a/.github/workflows/allboards.yml
+++ b/.github/workflows/allboards.yml
@@ -5,6 +5,9 @@ on:
   repository_dispatch:
     types: [test-boards]
 
+permissions:
+  contents: read
+
 jobs:
   find-boards:
     runs-on: ubuntu-latest
@@ -36,10 +39,6 @@ jobs:
         with:
           ref: ${{ github.event.client_payload.branch }}
 
-      - run: npm install
-      - name: Setup jq
-        uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a # v3.0.1
-
       - id: set-test-chunks
         name: Set Chunks
         run: echo "test-chunks<<EOF" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/boards.yml b/.github/workflows/boards.yml
index 287e97219c4..4ddb1443746 100644
--- a/.github/workflows/boards.yml
+++ b/.github/workflows/boards.yml
@@ -8,6 +8,9 @@ on:
       - "libraries/ESP32/examples/CI/CIBoardsTest/CIBoardsTest.ino"
       - ".github/workflows/boards.yml"
 
+permissions:
+  contents: read
+
 env:
   # It's convenient to set variables for values used multiple times in the workflow
   GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
@@ -24,9 +27,6 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Setup jq
-        uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a # v3.0.1
-
       - name: Get board name
         run: bash .github/scripts/find_new_boards.sh ${{ github.repository }} ${{github.base_ref}}
 
diff --git a/.github/workflows/build_component.yml b/.github/workflows/build_component.yml
index 5553b4b2024..6d5dd38c626 100644
--- a/.github/workflows/build_component.yml
+++ b/.github/workflows/build_component.yml
@@ -45,6 +45,9 @@ on:
       - "!*.txt"
       - "!*.properties"
 
+permissions:
+  contents: read
+
 concurrency:
   group: build-component-${{github.event.pull_request.number || github.ref}}
   cancel-in-progress: true
@@ -114,6 +117,7 @@ jobs:
           submodules: recursive
           path: components/arduino-esp32
 
+      # Need to install jq in the container to be able to use it in the script
       - name: Setup jq
         uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a # v3.0.1
 
diff --git a/.github/workflows/build_py_tools.yml b/.github/workflows/build_py_tools.yml
index bbb36589c84..e22d8df5eff 100644
--- a/.github/workflows/build_py_tools.yml
+++ b/.github/workflows/build_py_tools.yml
@@ -9,6 +9,10 @@ on:
       - "tools/gen_esp32part.py"
       - "tools/gen_insights_package.py"
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   find-changed-tools:
     name: Check if tools have been changed
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9b2c6bccab1..26bd868c190 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -15,6 +15,12 @@ on:
       - ".github/workflows/*.yml"
       - ".github/workflows/*.yaml"
 
+permissions:
+  actions: read
+  contents: read
+  pull-requests: read
+  security-events: write
+
 jobs:
   codeql-analysis:
     name: CodeQL ${{ matrix.language }} analysis
diff --git a/.github/workflows/docs_build.yml b/.github/workflows/docs_build.yml
index d9b9f160228..5253c166f85 100644
--- a/.github/workflows/docs_build.yml
+++ b/.github/workflows/docs_build.yml
@@ -13,6 +13,9 @@ on:
       - "docs/**"
       - ".github/workflows/docs_build.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build-docs:
     name: Build ESP-Docs
diff --git a/.github/workflows/docs_deploy.yml b/.github/workflows/docs_deploy.yml
index 9f45e35aef8..0c54d24aaf9 100644
--- a/.github/workflows/docs_deploy.yml
+++ b/.github/workflows/docs_deploy.yml
@@ -13,6 +13,9 @@ on:
       - "docs/**"
       - ".github/workflows/docs_deploy.yml"
 
+permissions:
+  contents: read
+
 jobs:
   deploy-prod-docs:
     name: Deploy Documentation on Production
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
index 60795229eff..5dcb46dc36a 100644
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@@ -10,6 +10,10 @@ on:
       - ".github/scripts/on-pages.sh"
       - ".github/workflows/gh-pages.yml"
 
+permissions:
+  contents: write
+  pages: write
+
 jobs:
   build-pages:
     name: Build GitHub Pages
diff --git a/.github/workflows/lib.yml b/.github/workflows/lib.yml
index 0cb50842e5d..8af0992ebea 100644
--- a/.github/workflows/lib.yml
+++ b/.github/workflows/lib.yml
@@ -13,6 +13,11 @@ concurrency:
   group: libs-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: read
+  pages: write
+
 env:
   # It's convenient to set variables for values used multiple times in the workflow
   SKETCHES_REPORTS_PATH: libraries-report
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index a3b858dd0fb..7eb60afc468 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -12,6 +12,10 @@ concurrency:
   group: pre-commit-${{github.event.pull_request.number || github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   lint:
     if: |
diff --git a/.github/workflows/publishlib.yml b/.github/workflows/publishlib.yml
index 0e1c3f64afd..f97a2e3b5f5 100644
--- a/.github/workflows/publishlib.yml
+++ b/.github/workflows/publishlib.yml
@@ -12,6 +12,10 @@ env:
   SKETCHES_REPORTS_PATH: artifacts/libraries-report
   GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   lib-test-results:
     name: External Libraries Test Results
diff --git a/.github/workflows/publishsizes-2.x.yml b/.github/workflows/publishsizes-2.x.yml
index 738e215bc3f..f912445e622 100644
--- a/.github/workflows/publishsizes-2.x.yml
+++ b/.github/workflows/publishsizes-2.x.yml
@@ -9,6 +9,10 @@ env:
   RESULT_SIZES_TEST_FILE: SIZES_TEST.md
   GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   sizes-test-results:
     name: Sizes Comparison Results
diff --git a/.github/workflows/publishsizes.yml b/.github/workflows/publishsizes.yml
index fad2418668c..611ee741efa 100644
--- a/.github/workflows/publishsizes.yml
+++ b/.github/workflows/publishsizes.yml
@@ -12,6 +12,11 @@ env:
   SKETCHES_REPORTS_PATH: artifacts/sizes-report
   GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
+permissions:
+  contents: read
+  pull-requests: write
+  pages: write
+
 jobs:
   sizes-test-results:
     name: Sizes Comparison Results
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 48530e30bc9..a415ccde755 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -56,6 +56,11 @@ concurrency:
   group: build-${{github.event.pull_request.number || github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: read
+  pages: write
+
 env:
   MAX_CHUNKS: 15
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7b23c80c49a..ddefdf69258 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,10 @@ on:
   release:
     types: published
 
+permissions:
+  contents: write
+  pages: write
+
 jobs:
   build:
     name: Publish Release
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 058d9a3a793..611bd21307d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -34,6 +34,10 @@ concurrency:
   group: tests-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   push-event-file:
     name: Push event file
diff --git a/.github/workflows/tests_build.yml b/.github/workflows/tests_build.yml
index ac1f40644ed..23405dc275e 100644
--- a/.github/workflows/tests_build.yml
+++ b/.github/workflows/tests_build.yml
@@ -12,6 +12,9 @@ on:
         description: "Chip to build tests for"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build-tests:
     name: Build ${{ inputs.type }} tests for ${{ inputs.chip }}
diff --git a/.github/workflows/tests_hw.yml b/.github/workflows/tests_hw.yml
index 6f5fc67f7b9..c81234ea727 100644
--- a/.github/workflows/tests_hw.yml
+++ b/.github/workflows/tests_hw.yml
@@ -12,6 +12,9 @@ on:
         description: "Chip to run tests for"
         required: true
 
+permissions:
+  contents: read
+
 env:
   DEBIAN_FRONTEND: noninteractive
 
diff --git a/.github/workflows/tests_qemu.yml b/.github/workflows/tests_qemu.yml
index fa3f874cbbb..e4652bc9b74 100644
--- a/.github/workflows/tests_qemu.yml
+++ b/.github/workflows/tests_qemu.yml
@@ -10,6 +10,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   qemu-test:
     name: QEMU ${{ inputs.chip }} ${{ inputs.type }} tests
diff --git a/.github/workflows/tests_results.yml b/.github/workflows/tests_results.yml
index ebba2a3aa08..8eae2b23f63 100644
--- a/.github/workflows/tests_results.yml
+++ b/.github/workflows/tests_results.yml
@@ -7,7 +7,8 @@ on:
       - completed
 
 # No permissions by default
-permissions: { contents: read }
+permissions:
+  contents: read
 
 jobs:
   unit-test-results:
diff --git a/.github/workflows/tests_wokwi.yml b/.github/workflows/tests_wokwi.yml
index 03dd64fc0fb..cf302180b01 100644
--- a/.github/workflows/tests_wokwi.yml
+++ b/.github/workflows/tests_wokwi.yml
@@ -7,7 +7,8 @@ on:
       - completed
 
 # No permissions by default
-permissions: { contents: read }
+permissions:
+  contents: read
 
 env:
   WOKWI_TIMEOUT: 600000 # Milliseconds