diff --git a/.github/workflows/atlas-image-build.yaml b/.github/workflows/atlas-image-build.yaml
index ac95a9fed4..4820f89d61 100644
--- a/.github/workflows/atlas-image-build.yaml
+++ b/.github/workflows/atlas-image-build.yaml
@@ -1,5 +1,8 @@
 name: build-mongodb-atlas-tools-image
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/grype-vulnerability-scanner.yaml b/.github/workflows/grype-vulnerability-scanner.yaml
index 089946dc98..861858f763 100644
--- a/.github/workflows/grype-vulnerability-scanner.yaml
+++ b/.github/workflows/grype-vulnerability-scanner.yaml
@@ -1,4 +1,6 @@
 name: container vulnerability scanning
+permissions:
+  contents: read
 on:
   workflow_dispatch:
   workflow_run:
diff --git a/.github/workflows/kanister-image-build.yaml b/.github/workflows/kanister-image-build.yaml
index 281c4da99b..dddef7c04f 100644
--- a/.github/workflows/kanister-image-build.yaml
+++ b/.github/workflows/kanister-image-build.yaml
@@ -1,5 +1,8 @@
 name: build-kanister-image
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index ee492eb314..b3017d38a7 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -1,4 +1,6 @@
 name: Build and test
+permissions:
+  contents: read
 on:
   push:
     branches:
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index d4e17dd070..9419e8e6fb 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -1,5 +1,8 @@
 name: Manage Stale Issues and PRs
 
+permissions:
+  contents: read
+
 on:
   schedule:
   - cron: "0 0 * * *"
diff --git a/.github/workflows/triage-issues.yaml b/.github/workflows/triage-issues.yaml
index 0a70276810..59aea954a1 100644
--- a/.github/workflows/triage-issues.yaml
+++ b/.github/workflows/triage-issues.yaml
@@ -1,5 +1,8 @@
 name: Triage Issues
 
+permissions:
+  contents: read
+
 on:
   issues:
     types: