diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml
index 66bf8ad84..774c2c631 100644
--- a/.github/workflows/dependabot-auto-approve.yml
+++ b/.github/workflows/dependabot-auto-approve.yml
@@ -2,6 +2,7 @@ name: Dependabot auto-approve
 on: pull_request
 
 permissions:
+  contents: read
   pull-requests: write
 
 jobs:
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
index 548441d96..540ff7c8f 100644
--- a/.github/workflows/php.yml
+++ b/.github/workflows/php.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/split_monorepo.yaml b/.github/workflows/split_monorepo.yaml
index 2a1faefa1..94879e6ad 100644
--- a/.github/workflows/split_monorepo.yaml
+++ b/.github/workflows/split_monorepo.yaml
@@ -9,6 +9,9 @@ on:
   create:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gitsplit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-dependabot-config.yml b/.github/workflows/update-dependabot-config.yml
index e937f2c60..43f55f42b 100644
--- a/.github/workflows/update-dependabot-config.yml
+++ b/.github/workflows/update-dependabot-config.yml
@@ -7,6 +7,9 @@ on:
   # Allow manual triggering
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-dependabot-config:
     runs-on: ubuntu-latest