diff --git a/.github/workflows/clang-format.yaml b/.github/workflows/clang-format.yaml
index 5e4d96dd3d..11d9352da8 100644
--- a/.github/workflows/clang-format.yaml
+++ b/.github/workflows/clang-format.yaml
@@ -11,6 +11,9 @@ on:
       - develop
       - main
 
+permissions:
+  contents: read
+
 jobs:
   clang-format-check:
     runs-on: macos-13
diff --git a/.github/workflows/close-stale-issues.yml b/.github/workflows/close-stale-issues.yml
index 4f721c936b..2b272c6e23 100644
--- a/.github/workflows/close-stale-issues.yml
+++ b/.github/workflows/close-stale-issues.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  issues: write
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 28bcf26fcd..0865ec4bcc 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,9 @@ on:
       - main
       - 'test-pr-*'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/cross-compilation.yml b/.github/workflows/cross-compilation.yml
index 1588765eca..2cebf4351a 100644
--- a/.github/workflows/cross-compilation.yml
+++ b/.github/workflows/cross-compilation.yml
@@ -10,6 +10,9 @@ on:
       - develop
       - main
 
+permissions:
+  contents: read
+
 jobs:
   linux-cross-compilation:
     timeout-minutes: 15
diff --git a/.github/workflows/doxygen-gh-pages.yml b/.github/workflows/doxygen-gh-pages.yml
index da61eef619..fdf949fb11 100644
--- a/.github/workflows/doxygen-gh-pages.yml
+++ b/.github/workflows/doxygen-gh-pages.yml
@@ -7,6 +7,9 @@ on:
       - develop
       - 'test-pr-*'
 
+permissions:
+  contents: write
+
 jobs:
   generate-and-deploy-doxygen:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-desc-lint.yml b/.github/workflows/pr-desc-lint.yml
index ee2c429ff1..23c9d54de8 100644
--- a/.github/workflows/pr-desc-lint.yml
+++ b/.github/workflows/pr-desc-lint.yml
@@ -11,6 +11,9 @@ on:
       - reopened
       - edited
 
+permissions:
+  contents: read
+
 jobs:
   check-description:
     runs-on: macos-latest
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
index eb556595f2..44033f9429 100644
--- a/.github/workflows/version-check.yml
+++ b/.github/workflows/version-check.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   check-version:
     runs-on: ubuntu-latest