diff --git a/.github/workflows/delete-pr-build-on-close.yml b/.github/workflows/delete-pr-build-on-close.yml
index 39d58a0b..04badbcb 100644
--- a/.github/workflows/delete-pr-build-on-close.yml
+++ b/.github/workflows/delete-pr-build-on-close.yml
@@ -21,6 +21,8 @@ jobs:
   delete-pre-release:
     name: Delete pre-release if exists
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Delete pre-release and tag named after branch
         env:
diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
index c2c57f3e..8b6a6c87 100644
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@@ -7,6 +7,8 @@ jobs:
   golang:
     name: Bump the Golang version
     runs-on: ubuntu-latest
+    permissions:
+      contents: none # Permissions are set with an application token
     steps:
       - name: Gather credentials
         id: credentials
diff --git a/.github/workflows/e2e_tests.yml b/.github/workflows/e2e_tests.yml
index 6dbf2854..21216dad 100644
--- a/.github/workflows/e2e_tests.yml
+++ b/.github/workflows/e2e_tests.yml
@@ -17,6 +17,8 @@ jobs:
   execute:
     name: Start tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: none
     steps:
       - name: Trigger CircleCI 'local' workflow
         if: ${{ github.event.inputs.status == 'false' }}
diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml
index 77c5004f..31cb4b62 100644
--- a/.github/workflows/license_check.yml
+++ b/.github/workflows/license_check.yml
@@ -10,6 +10,8 @@ jobs:
   check-headers:
     name: Check that license headers are in place
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4.2.2
         with:
diff --git a/.github/workflows/sync-docs-from-cli-repo.yml b/.github/workflows/sync-docs-from-cli-repo.yml
index 6a096639..cae008df 100644
--- a/.github/workflows/sync-docs-from-cli-repo.yml
+++ b/.github/workflows/sync-docs-from-cli-repo.yml
@@ -17,7 +17,8 @@ jobs:
   config-sync:
     name: Sync docs to docs site repo
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     steps:
       - name: Generate a GitHub token
         id: ghtoken
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index bac256ab..cba3ab5c 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -15,6 +15,8 @@ jobs:
   lint-test:
     name: Lints and Unit tests
     runs-on: macos-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4.2.2
         with:
@@ -49,6 +51,9 @@ jobs:
   health-score:
     needs: lint-test
     runs-on: macos-latest
+    permissions:
+      checks: write
+      contents: read
     steps:
       - uses: actions/checkout@v4.2.2
       - name: Set up Go