diff --git a/.github/workflows/acceptance-tests.yaml b/.github/workflows/acceptance-tests.yaml
index 4465ed93eb..9335776f02 100644
--- a/.github/workflows/acceptance-tests.yaml
+++ b/.github/workflows/acceptance-tests.yaml
@@ -1,5 +1,8 @@
 name: Acceptance Tests
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   merge_group:
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index 0c6bff2a23..ccd5393dbc 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -1,6 +1,9 @@
 name: Lint GitHub Actions workflows
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   actionlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/announce.yaml b/.github/workflows/announce.yaml
index 67ef201d88..3ff6b2de1e 100644
--- a/.github/workflows/announce.yaml
+++ b/.github/workflows/announce.yaml
@@ -1,5 +1,8 @@
 name: Slack Announcement
 
+permissions:
+  contents: read
+
 on:
   release:
     types:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index f0bf67f1b0..21bbfcdbda 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -5,6 +5,9 @@
 # or to provide custom queries or build logic.
 name: "CodeQL"
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [master]
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 81b85577e5..9153d6ce65 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -1,4 +1,8 @@
 name: Documentation Checks
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 24ba65f029..491659299f 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -1,5 +1,8 @@
 name: Nightly Acceptance Tests
 
+permissions:
+  contents: read
+
 on:
   schedule:
     # Will run at 00:00 every day
diff --git a/.github/workflows/purge.yml b/.github/workflows/purge.yml
index 035d0319a1..b73174596d 100644
--- a/.github/workflows/purge.yml
+++ b/.github/workflows/purge.yml
@@ -1,4 +1,8 @@
 name: Manual Purge
+
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/terrafmt.yml b/.github/workflows/terrafmt.yml
index 64d72975b1..aae953f92e 100644
--- a/.github/workflows/terrafmt.yml
+++ b/.github/workflows/terrafmt.yml
@@ -1,4 +1,8 @@
 name: Run terrafmt
+
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/tfproviderlint.yml b/.github/workflows/tfproviderlint.yml
index 1550fdc5d5..56329af59d 100644
--- a/.github/workflows/tfproviderlint.yml
+++ b/.github/workflows/tfproviderlint.yml
@@ -1,5 +1,8 @@
 name: Run tfproviderlint
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
index fb9f53f729..4b898234b7 100644
--- a/.github/workflows/unit-tests.yaml
+++ b/.github/workflows/unit-tests.yaml
@@ -1,5 +1,8 @@
 name: Tests
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   merge_group: