diff --git a/.github/workflows/boost_log.yml b/.github/workflows/boost_log.yml
index 9221939df..ac1b469f0 100644
--- a/.github/workflows/boost_log.yml
+++ b/.github/workflows/boost_log.yml
@@ -13,6 +13,9 @@ on:
       - 'instrumentation/boost_log/**'
       - '.github/workflows/boost_log.yml'
 
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux
diff --git a/.github/workflows/fluentd.yml b/.github/workflows/fluentd.yml
index 804c733d5..f898ae04e 100644
--- a/.github/workflows/fluentd.yml
+++ b/.github/workflows/fluentd.yml
@@ -12,9 +12,12 @@ on:
   pull_request:
     branches: [main]
     paths:
-      - "exporters/fluentd/**"
-      - ".github/workflows/fluentd.yml"
-
+      - "exporters/fluentd/**"
+      - ".github/workflows/fluentd.yml"
+
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux
diff --git a/.github/workflows/geneva_metrics.yml b/.github/workflows/geneva_metrics.yml
index de4bb2db2..bca96b5f3 100644
--- a/.github/workflows/geneva_metrics.yml
+++ b/.github/workflows/geneva_metrics.yml
@@ -9,8 +9,10 @@ on:
   pull_request:
     branches: [main]
     paths:
-      - "exporters/geneva/**"
-      - ".github/workflows/geneva_metrics.yml"
+      - "exporters/geneva/**"
+      - ".github/workflows/geneva_metrics.yml"
+permissions:
+  contents: read
 jobs:
   cmake_linux:
     name: CMake on Linux
diff --git a/.github/workflows/geneva_trace.yml b/.github/workflows/geneva_trace.yml
index 65bbc184b..e939b44c0 100644
--- a/.github/workflows/geneva_trace.yml
+++ b/.github/workflows/geneva_trace.yml
@@ -14,6 +14,9 @@ on:
     paths:
       - "exporters/geneva-trace/**"
       - ".github/workflows/geneva_trace.yml"
+
+permissions:
+  contents: read
   
 jobs:
   geneva-trace-nuget-generation:
diff --git a/.github/workflows/glog.yml b/.github/workflows/glog.yml
index c7bb9f40b..efd763a9c 100644
--- a/.github/workflows/glog.yml
+++ b/.github/workflows/glog.yml
@@ -13,6 +13,9 @@ on:
       - 'instrumentation/glog/**'
       - '.github/workflows/glog.yml'
 
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux
diff --git a/.github/workflows/httpd.yml b/.github/workflows/httpd.yml
index 0049da21e..73cb050a0 100644
--- a/.github/workflows/httpd.yml
+++ b/.github/workflows/httpd.yml
@@ -12,6 +12,9 @@ on:
       - 'instrumentation/httpd/**'
       - '.github/workflows/httpd.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build module
diff --git a/.github/workflows/log4cxx.yml b/.github/workflows/log4cxx.yml
index 1f1090e16..ca132e59a 100644
--- a/.github/workflows/log4cxx.yml
+++ b/.github/workflows/log4cxx.yml
@@ -13,6 +13,9 @@ on:
       - 'instrumentation/log4cxx/**'
       - '.github/workflows/log4cxx.yml'
 
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux
diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml
index 3cc41b906..5627f8638 100644
--- a/.github/workflows/nginx.yml
+++ b/.github/workflows/nginx.yml
@@ -14,9 +14,13 @@ on:
     paths:
       - 'instrumentation/nginx/**'
       - '.github/workflows/nginx.yml'
+permissions:
+  contents: read
 jobs:
   create-release:
     if: startsWith(github.ref, 'refs/tags/nginx')
+    permissions:
+      contents: write # required for creating releases
     runs-on: ubuntu-latest
     steps:
       - name: Release
@@ -25,6 +29,8 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/nginx')
     runs-on: ubuntu-latest
     needs: [nginx-build-test, create-release]
+    permissions:
+      contents: write # required for uploading release artifacts
     steps:
       - name: Create directory
         run: |
diff --git a/.github/workflows/prometheus.yml b/.github/workflows/prometheus.yml
index 77fd1d2c0..27249f201 100644
--- a/.github/workflows/prometheus.yml
+++ b/.github/workflows/prometheus.yml
@@ -12,6 +12,9 @@ on:
       - "exporters/prometheus/**"
       - ".github/workflows/prometheus.yml"
 
+permissions:
+  contents: read
+
 jobs:
   prometheus_bazel_linux:
     name: Bazel on Linux
diff --git a/.github/workflows/spdlog.yml b/.github/workflows/spdlog.yml
index e43cc4358..992af96ff 100644
--- a/.github/workflows/spdlog.yml
+++ b/.github/workflows/spdlog.yml
@@ -13,6 +13,9 @@ on:
       - 'instrumentation/spdlog/**'
       - '.github/workflows/spdlog.yml'
 
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux
diff --git a/.github/workflows/user_events.yml b/.github/workflows/user_events.yml
index 2e95a7363..f809ef141 100644
--- a/.github/workflows/user_events.yml
+++ b/.github/workflows/user_events.yml
@@ -10,9 +10,12 @@ on:
   pull_request:
     branches: [main]
     paths:
-      - 'exporters/user_events/**'
-      - '.github/workflows/user_events.yml'
-
+      - 'exporters/user_events/**'
+      - '.github/workflows/user_events.yml'
+
+permissions:
+  contents: read
+
 jobs:
   cmake_linux:
     name: CMake Linux
diff --git a/.github/workflows/webserver.yml b/.github/workflows/webserver.yml
index b48f5d5ec..46ce27624 100644
--- a/.github/workflows/webserver.yml
+++ b/.github/workflows/webserver.yml
@@ -12,6 +12,9 @@ on:
       - 'instrumentation/otel-webserver-module/**'
       - '.github/workflows/webserver.yml'
 
+permissions:
+  contents: read
+
 jobs:
   webserver-build-test-ubuntu:
     name: webserver-ubuntu-build