diff --git a/.github/workflows/config_coverage.yml b/.github/workflows/config_coverage.yml
index fe90d98252..00800ffb8a 100644
--- a/.github/workflows/config_coverage.yml
+++ b/.github/workflows/config_coverage.yml
@@ -21,6 +21,8 @@ on:
   # Allow running this job manually from either API or GitHub UI.
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   checker-config-coverage:
     name: "Config coverage of checkers"
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index a8c1686f98..d0140fdc39 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -5,6 +5,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   main:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index bc94e01bb9..70b5129feb 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -6,6 +6,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   build:
     name: Build pypi package
diff --git a/.github/workflows/snap.yml b/.github/workflows/snap.yml
index 251dcbd7ff..53ce59943e 100644
--- a/.github/workflows/snap.yml
+++ b/.github/workflows/snap.yml
@@ -5,6 +5,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   build:
     name: Build snap package
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8c78c8622c..e4e2983193 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,6 +3,8 @@ name: codechecker-tests
 # Triggers the workflow on push or pull request events.
 on: [push, pull_request]
 
+permissions: read-all
+
 jobs:
   # Note: UI related linter tests will run in the gui job.
   lint: