diff --git a/.github/workflows/cd-deploy-to-dev.yml b/.github/workflows/cd-deploy-to-dev.yml
index 717c3da5..7f3e1ac1 100644
--- a/.github/workflows/cd-deploy-to-dev.yml
+++ b/.github/workflows/cd-deploy-to-dev.yml
@@ -1,5 +1,7 @@
 name: Deploy to dev
 
+permissions: read-all
+
 on:
   workflow_dispatch:
   pull_request:
diff --git a/.github/workflows/cd-deploy-to-prod.yml b/.github/workflows/cd-deploy-to-prod.yml
index 9e201269..5d7e406e 100644
--- a/.github/workflows/cd-deploy-to-prod.yml
+++ b/.github/workflows/cd-deploy-to-prod.yml
@@ -1,5 +1,7 @@
 name: Deploy to prod
 
+permissions: read-all
+
 on:
   release:
     types:
diff --git a/.github/workflows/cd-deploy-to-test.yml b/.github/workflows/cd-deploy-to-test.yml
index 3f109b40..c6f33a58 100644
--- a/.github/workflows/cd-deploy-to-test.yml
+++ b/.github/workflows/cd-deploy-to-test.yml
@@ -1,5 +1,7 @@
 name: Deploy to test
 
+permissions: read-all
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/ci-check-linters.yml b/.github/workflows/ci-check-linters.yml
index fb3f6794..9901bc10 100644
--- a/.github/workflows/ci-check-linters.yml
+++ b/.github/workflows/ci-check-linters.yml
@@ -1,5 +1,7 @@
 name: Lint Code Base
 
+permissions: read-all
+
 on:
   pull_request:
     branches: [master]
diff --git a/.github/workflows/ci-unit-tests.yml b/.github/workflows/ci-unit-tests.yml
index 4118c1a4..fb247122 100644
--- a/.github/workflows/ci-unit-tests.yml
+++ b/.github/workflows/ci-unit-tests.yml
@@ -1,5 +1,7 @@
 name: Unit Tests
 
+permissions: read-all
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/delete-deployment.yml b/.github/workflows/delete-deployment.yml
index 9b7dc18d..dbd00834 100644
--- a/.github/workflows/delete-deployment.yml
+++ b/.github/workflows/delete-deployment.yml
@@ -1,5 +1,7 @@
 name: Delete Cloud Run instances on PR closed by merged
 
+permissions: read-all
+
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/sub-build-push-image.yml b/.github/workflows/sub-build-push-image.yml
index 2c1dc589..db48ca82 100644
--- a/.github/workflows/sub-build-push-image.yml
+++ b/.github/workflows/sub-build-push-image.yml
@@ -1,5 +1,7 @@
 name: Build docker image
 
+permissions: read-all
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/sub-cloudrun-deploy.yml b/.github/workflows/sub-cloudrun-deploy.yml
index c7f5eaf9..5ca7c9b2 100644
--- a/.github/workflows/sub-cloudrun-deploy.yml
+++ b/.github/workflows/sub-cloudrun-deploy.yml
@@ -1,5 +1,7 @@
 name: Deploy to Cloud Run
 
+permissions: read-all
+
 on:
   workflow_call:
     inputs: