diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml
index 66bf8ad84..d7f57ae37 100644
--- a/.github/workflows/dependabot-auto-approve.yml
+++ b/.github/workflows/dependabot-auto-approve.yml
@@ -2,10 +2,12 @@ name: Dependabot auto-approve
 on: pull_request
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   dependabot:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'open-telemetry/opentelemetry-php-contrib'
     steps:
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
index ef33685a9..28025abbf 100644
--- a/.github/workflows/php.yml
+++ b/.github/workflows/php.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/split_monorepo.yaml b/.github/workflows/split_monorepo.yaml
index 2a1faefa1..94879e6ad 100644
--- a/.github/workflows/split_monorepo.yaml
+++ b/.github/workflows/split_monorepo.yaml
@@ -9,6 +9,9 @@ on:
   create:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gitsplit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-dependabot-config.yml b/.github/workflows/update-dependabot-config.yml
index e937f2c60..43f55f42b 100644
--- a/.github/workflows/update-dependabot-config.yml
+++ b/.github/workflows/update-dependabot-config.yml
@@ -7,6 +7,9 @@ on:
   # Allow manual triggering
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-dependabot-config:
     runs-on: ubuntu-latest