diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 3c5ad071dca..3dda201454a 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -5,6 +5,9 @@ on:
       - closed
       - labeled
 
+permissions:
+  contents: read
+
 jobs:
   main:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
index 5b607a99406..d42b89e998e 100644
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -2,6 +2,10 @@ name: Trigger Docker build on release
 on:
   release:
     types: [released]
+
+permissions:
+  contents: read
+
 jobs:
   curl:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docs-checker.yml b/.github/workflows/docs-checker.yml
index 722c1252ed9..a6201cb50e6 100644
--- a/.github/workflows/docs-checker.yml
+++ b/.github/workflows/docs-checker.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
     types: [ opened, synchronize, reopened, edited ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/initiate_release.yml b/.github/workflows/initiate_release.yml
index 321d6f5b403..5b6536844fc 100644
--- a/.github/workflows/initiate_release.yml
+++ b/.github/workflows/initiate_release.yml
@@ -2,6 +2,10 @@
 # To add/remove versions just modify the matrix.
 
 name: Create weekly release pull requests
+
+permissions:
+  contents: read
+
 on:
   schedule:
     # 9:30 UTC => 3 PM IST Tuesday
diff --git a/.github/workflows/labeller.yml b/.github/workflows/labeller.yml
index a7744006117..47b67857d65 100644
--- a/.github/workflows/labeller.yml
+++ b/.github/workflows/labeller.yml
@@ -3,6 +3,10 @@ on:
   pull_request_target:
     types: [opened, reopened]
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index c7caa4cbab2..fc9744405d0 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -3,6 +3,9 @@ name: Linters
 on:
   pull_request: { }
 
+permissions:
+  contents: read
+
 jobs:
 
   linters:
diff --git a/.github/workflows/patch.yml b/.github/workflows/patch.yml
index 23686aed68c..d7431c0997b 100644
--- a/.github/workflows/patch.yml
+++ b/.github/workflows/patch.yml
@@ -10,6 +10,9 @@ on:
       - '**.csv'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: patch-develop-${{ github.event_name }}-${{ github.event.number || github.event_name == 'workflow_dispatch' && github.run_id || '' }}
   cancel-in-progress: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 93b17323681..0affbd557dd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,10 @@ on:
   push:
     branches:
       - version-13
+
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release
diff --git a/.github/workflows/run-indinvidual-tests.yml b/.github/workflows/run-indinvidual-tests.yml
index 8401fbc5521..3c9f8ffbc5b 100644
--- a/.github/workflows/run-indinvidual-tests.yml
+++ b/.github/workflows/run-indinvidual-tests.yml
@@ -7,6 +7,9 @@ concurrency:
   group: server-individual-tests-develop-${{ github.event_name }}-${{ github.event.number || github.event_name == 'workflow_dispatch' && github.run_id || '' }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   discover:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/server-tests-mariadb-faux.yml b/.github/workflows/server-tests-mariadb-faux.yml
index 8334661cb0c..d48a13d9b06 100644
--- a/.github/workflows/server-tests-mariadb-faux.yml
+++ b/.github/workflows/server-tests-mariadb-faux.yml
@@ -10,6 +10,9 @@ on:
       - "**.md"
       - "**.html"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/server-tests-mariadb.yml b/.github/workflows/server-tests-mariadb.yml
index fdc7f09bfc5..5ceac8d37c2 100644
--- a/.github/workflows/server-tests-mariadb.yml
+++ b/.github/workflows/server-tests-mariadb.yml
@@ -25,6 +25,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 concurrency:
   group: server-mariadb-develop-${{ github.event_name }}-${{ github.event.number || github.event_name == 'workflow_dispatch' && github.run_id || '' }}
   cancel-in-progress: true
diff --git a/.github/workflows/server-tests-postgres.yml b/.github/workflows/server-tests-postgres.yml
index e814a8b13dc..62991778184 100644
--- a/.github/workflows/server-tests-postgres.yml
+++ b/.github/workflows/server-tests-postgres.yml
@@ -12,6 +12,9 @@ concurrency:
   group: server-postgres-develop-${{ github.event_name }}-${{ github.event.number || github.event_name == 'workflow_dispatch' && github.run_id || '' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
     if: ${{ contains(github.event.pull_request.labels.*.name, 'postgres') }}