diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index 964db888b..d9e50bb41 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -4,6 +4,9 @@ name: Java Format Check
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check-java:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml
index fc44ba70e..6226d06cf 100644
--- a/.github/workflows/manual.yml
+++ b/.github/workflows/manual.yml
@@ -11,6 +11,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   manual-ci-verification:
     uses: ./.github/workflows/test_models_dafny_verification.yml
diff --git a/.github/workflows/nightly_dafny.yml b/.github/workflows/nightly_dafny.yml
index 2ef4b850b..474029a58 100644
--- a/.github/workflows/nightly_dafny.yml
+++ b/.github/workflows/nightly_dafny.yml
@@ -10,6 +10,9 @@ on:
     # https://github.com/dafny-lang/dafny/blob/master/.github/workflows/deep-tests.yml#L16
     - cron: "30 16 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   dafny-nightly-verification:
     # Don't run the cron builds on forks
diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml
index 85770b87f..90a2d2108 100644
--- a/.github/workflows/pull.yml
+++ b/.github/workflows/pull.yml
@@ -4,6 +4,9 @@ name: PR CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   pr-populate-dafny-versions:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 9f036644d..7c20efa16 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main-1.x
 
+permissions:
+  contents: read
+
 jobs:
   pr-populate-dafny-versions:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/smithy-dafny-conversion.yml b/.github/workflows/smithy-dafny-conversion.yml
index 4109b7bd3..5163864fd 100644
--- a/.github/workflows/smithy-dafny-conversion.yml
+++ b/.github/workflows/smithy-dafny-conversion.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main-1.x
 
+permissions:
+  contents: read
+
 jobs:
   gradle-build-smithy-dafny-conversion:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/smithy-polymorph.yml b/.github/workflows/smithy-polymorph.yml
index faa4957af..2fae13bf8 100644
--- a/.github/workflows/smithy-polymorph.yml
+++ b/.github/workflows/smithy-polymorph.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main-1.x
 
+permissions:
+  contents: read
+
 jobs:
   gradle-build-smithy-dafny:
     strategy:
diff --git a/.github/workflows/test_models_dafny_verification.yml b/.github/workflows/test_models_dafny_verification.yml
index e5a4bbeee..b196441ab 100644
--- a/.github/workflows/test_models_dafny_verification.yml
+++ b/.github/workflows/test_models_dafny_verification.yml
@@ -13,6 +13,9 @@ on:
         type: number
         default: 10
 
+permissions:
+  contents: read
+
 jobs:
   populate-matrix-dimensions:
     runs-on: ubuntu-22.04