diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml
index 390dfcfc09bb5..d7b94723feadc 100644
--- a/.github/workflows/changelog.yaml
+++ b/.github/workflows/changelog.yaml
@@ -16,6 +16,9 @@ on:
   merge_group:
     types: [checks_requested]
 
+permissions:
+  contents: read
+
 jobs:
   validate-changelog:
     permissions:
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 179a849e92a0e..c2693a2d33a18 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -40,9 +40,9 @@ jobs:
           branch: 'vector'
           remote-repository-name: cla-signatures
           remote-organization-name: DataDog
+          allowlist: step-security-bot
 
          # the followings are the optional inputs - If the optional inputs are not given, then default values will be taken
-          #allowlist: user1,bot*
           #create-file-commit-message: 'For example: Creating file for storing CLA Signatures'
           #signed-commit-message: 'For example: $contributorName has signed the CLA in $owner/$repo#$pullRequestNo'
           #custom-notsigned-prcomment: 'pull request comment with Introductory message to ask new contributors to sign'
diff --git a/.github/workflows/cleanup-ghcr-images.yml b/.github/workflows/cleanup-ghcr-images.yml
index a2ab8ae35ede6..709190f9af108 100644
--- a/.github/workflows/cleanup-ghcr-images.yml
+++ b/.github/workflows/cleanup-ghcr-images.yml
@@ -13,6 +13,9 @@ on:
     - cron: '0 2 * * 0'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/gardener_open_issue.yml b/.github/workflows/gardener_open_issue.yml
index c8ba082d3ed63..87389577949ac 100644
--- a/.github/workflows/gardener_open_issue.yml
+++ b/.github/workflows/gardener_open_issue.yml
@@ -6,6 +6,9 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     name: Add issue to Gardener project board
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 7fc80a2846cfb..e94a4bb384ec6 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,6 +2,9 @@ name: "Pull Request Labeler"
 on:
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   label:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/master_merge_queue.yml b/.github/workflows/master_merge_queue.yml
index b73039c209cb4..da951506d1344 100644
--- a/.github/workflows/master_merge_queue.yml
+++ b/.github/workflows/master_merge_queue.yml
@@ -20,7 +20,7 @@ on:
     types: [checks_requested]
 
 permissions:
-  statuses: write
+  contents: read
 
 concurrency:
   # `github.ref` is unique for MQ runs and PRs
@@ -112,6 +112,8 @@ jobs:
     secrets: inherit
 
   master-merge-queue-check:
+    permissions:
+      statuses: write
     name: Master Merge Queue Suite
     # Always run this so that pull_request triggers are marked as success.
     if: always()
diff --git a/.github/workflows/msrv.yml b/.github/workflows/msrv.yml
index a44bc1018627a..92955d2a751e1 100644
--- a/.github/workflows/msrv.yml
+++ b/.github/workflows/msrv.yml
@@ -14,6 +14,9 @@ env:
   CI: true
   PROFILE: debug
 
+permissions:
+  contents: read
+
 jobs:
   check-msrv:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/publish-homebrew.yml b/.github/workflows/publish-homebrew.yml
index 47a1a7089d443..4d17069c32818 100644
--- a/.github/workflows/publish-homebrew.yml
+++ b/.github/workflows/publish-homebrew.yml
@@ -17,6 +17,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   publish-homebrew:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/semantic.yml b/.github/workflows/semantic.yml
index 40a237787c53d..f8b741f36a4cc 100644
--- a/.github/workflows/semantic.yml
+++ b/.github/workflows/semantic.yml
@@ -9,8 +9,14 @@ on:
   pull_request:
     types: [opened, edited, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Check Semantic PR
     runs-on: ubuntu-24.04
     steps:
diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
index 810fb03867dd3..425111667a5e8 100644
--- a/.github/workflows/spelling.yml
+++ b/.github/workflows/spelling.yml
@@ -67,6 +67,9 @@ on:
     - 'reopened'
     - 'synchronize'
 
+permissions:
+  contents: read
+
 jobs:
   spelling:
     name: Check Spelling