diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a077bc5ca5..a1661fd98c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
 
 # Commented 2024-11-06, lack of workers in github causes CI failures
diff --git a/.github/workflows/clang-tidy.yaml b/.github/workflows/clang-tidy.yaml
index 8a2c3c1b9b..a894292e00 100644
--- a/.github/workflows/clang-tidy.yaml
+++ b/.github/workflows/clang-tidy.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   clang-tidy:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/cmake_install.yml b/.github/workflows/cmake_install.yml
index 323eb6cebb..be7ac8d30d 100644
--- a/.github/workflows/cmake_install.yml
+++ b/.github/workflows/cmake_install.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   windows_2022_vcpkg_submodule:
     name: Windows 2022 vcpkg submodule versions cxx17 (static libs - dll)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 684e925c37..f21eae719a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -7,8 +7,15 @@ on:
     # The branches below must be a subset of the branches above
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml
index a1239c75a1..df51371a2d 100644
--- a/.github/workflows/cppcheck.yml
+++ b/.github/workflows/cppcheck.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   cppcheck:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/dependencies_image.yml b/.github/workflows/dependencies_image.yml
index ab37ce80ef..96e430c3fa 100644
--- a/.github/workflows/dependencies_image.yml
+++ b/.github/workflows/dependencies_image.yml
@@ -3,6 +3,9 @@ on:
   schedule:
     - cron: "0 3 * * 6"
 
+permissions:
+  contents: read
+
 jobs:
   docker_image:
     name: Docker Image
diff --git a/.github/workflows/project_management_comment.yml b/.github/workflows/project_management_comment.yml
index bddf31549a..621ff9e174 100644
--- a/.github/workflows/project_management_comment.yml
+++ b/.github/workflows/project_management_comment.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types:
       - labeled
+permissions:
+  contents: read
+
 jobs:
   add-comment:
     if: github.event.label.name == 'help wanted'