diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 26789093f2..787b2420ac 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -6,6 +6,9 @@ on:
         description: "The pull request # to backport"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   backport:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 491ddd27fa..cbbc612f03 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8ef01d21cb..5416c39d5a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,9 @@ on:
     #        *  * * * *
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml
index f0068701f7..cd84f16095 100644
--- a/.github/workflows/component-owners.yml
+++ b/.github/workflows/component-owners.yml
@@ -6,6 +6,9 @@ name: 'Component Owners'
 on:
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   run_self:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/core_contrib_test_0.yml b/.github/workflows/core_contrib_test_0.yml
index fce687457e..e3362fb45b 100644
--- a/.github/workflows/core_contrib_test_0.yml
+++ b/.github/workflows/core_contrib_test_0.yml
@@ -13,6 +13,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 env:
   CORE_REPO_SHA: ${{ inputs.CORE_REPO_SHA }}
   CONTRIB_REPO_SHA: ${{ inputs.CONTRIB_REPO_SHA }}
diff --git a/.github/workflows/lint_0.yml b/.github/workflows/lint_0.yml
index 406e1aecb0..8583425708 100644
--- a/.github/workflows/lint_0.yml
+++ b/.github/workflows/lint_0.yml
@@ -9,6 +9,9 @@ on:
     - 'release/*'
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true