diff --git a/.github/workflows/file_format.yml b/.github/workflows/file_format.yml
index 278fb297d..ea55f2b3e 100644
--- a/.github/workflows/file_format.yml
+++ b/.github/workflows/file_format.yml
@@ -6,6 +6,9 @@ concurrency:
   group: file_fmt-${{ github.head_ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   format:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 4afbc848f..ffd7fa3c9 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -14,6 +14,9 @@ on:
     - "**.py"
     - ".github/workflows/lint.yml"
 
+permissions:
+  contents: read
+
 jobs:
 
   pylint:
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 664c889aa..1bbb4fbb6 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -20,6 +20,9 @@ on:
       - ".github/workflows/macos.yml"
       - "run_unittests.py"
 
+permissions:
+  contents: read
+
 jobs:
   unittests-appleclang:
     runs-on: macos-latest
diff --git a/.github/workflows/msys2.yml b/.github/workflows/msys2.yml
index b49cd70a1..2e09abae7 100644
--- a/.github/workflows/msys2.yml
+++ b/.github/workflows/msys2.yml
@@ -20,6 +20,9 @@ on:
       - ".github/workflows/msys2.yml"
       - "run_unittests.py"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: windows-2019
diff --git a/.github/workflows/nonative.yml b/.github/workflows/nonative.yml
index e541da3f4..32754f818 100644
--- a/.github/workflows/nonative.yml
+++ b/.github/workflows/nonative.yml
@@ -22,6 +22,9 @@ on:
       - ".github/workflows/nonative.yml"
       - "run*tests.py"
 
+permissions:
+  contents: read
+
 jobs:
   cross-only-armhf:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/os_comp.yml b/.github/workflows/os_comp.yml
index 3f8e8bcc5..f38c81a48 100644
--- a/.github/workflows/os_comp.yml
+++ b/.github/workflows/os_comp.yml
@@ -26,6 +26,9 @@ on:
       - ".github/workflows/os_comp.yml"
       - "run_unittests.py"
 
+permissions:
+  contents: read
+
 jobs:
   arch:
     name: ${{ matrix.cfg.name }}
diff --git a/.github/workflows/unusedargs_missingreturn.yml b/.github/workflows/unusedargs_missingreturn.yml
index a32e28d0b..8118fb244 100644
--- a/.github/workflows/unusedargs_missingreturn.yml
+++ b/.github/workflows/unusedargs_missingreturn.yml
@@ -36,6 +36,9 @@ on:
     - "test cases/objcpp/**"
     - "test caes/windows/**"
 
+permissions:
+  contents: read
+
 jobs:
 
   linux: