diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 643fc7f96ffa..c94a3e92a585 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -41,6 +41,9 @@ on:
           link.
         required: true
 
+permissions:
+  contents: write
+
 jobs:
   add-changelog:
     runs-on: Ubuntu-latest
diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml
index 6ab5db076912..66f8a2e75052 100644
--- a/.github/workflows/closed-issue-message.yml
+++ b/.github/workflows/closed-issue-message.yml
@@ -2,6 +2,9 @@ name: Closed Issue Message
 on:
     issues:
        types: [closed]
+permissions:
+  issues: write
+
 jobs:
     auto_comment:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/doc-pr-cherry-pick.yml b/.github/workflows/doc-pr-cherry-pick.yml
index b9ddf589dd91..f8c34f33606e 100644
--- a/.github/workflows/doc-pr-cherry-pick.yml
+++ b/.github/workflows/doc-pr-cherry-pick.yml
@@ -8,6 +8,10 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   cherry_pick_and_create_pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/fail-master-prs.yml b/.github/workflows/fail-master-prs.yml
index 671b81edb066..e6ca087aab00 100644
--- a/.github/workflows/fail-master-prs.yml
+++ b/.github/workflows/fail-master-prs.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   fail:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-bundle-test.yml b/.github/workflows/run-bundle-test.yml
index bd1b0a26df8a..f95124a6a43e 100644
--- a/.github/workflows/run-bundle-test.yml
+++ b/.github/workflows/run-bundle-test.yml
@@ -8,6 +8,9 @@ on:
   pull_request:
     branches-ignore: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   test-bundle:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/run-dep-tests.yml b/.github/workflows/run-dep-tests.yml
index 99f83be76444..257ad5f6618c 100644
--- a/.github/workflows/run-dep-tests.yml
+++ b/.github/workflows/run-dep-tests.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches-ignore: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index dbcdc6d351b5..243894dda2c4 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches-ignore: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/stale_community_prs.yml b/.github/workflows/stale_community_prs.yml
index 2102b191ce91..54b4ca5c1485 100644
--- a/.github/workflows/stale_community_prs.yml
+++ b/.github/workflows/stale_community_prs.yml
@@ -1,6 +1,9 @@
 name: 'Check stale community PRs.'
 on: workflow_dispatch
       
+permissions:
+  pull-requests: write
+
 jobs:
   stale-implementation-stage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-lockfiles.yml b/.github/workflows/update-lockfiles.yml
index 5dcf8e4352c1..745737b46dd3 100644
--- a/.github/workflows/update-lockfiles.yml
+++ b/.github/workflows/update-lockfiles.yml
@@ -20,6 +20,9 @@ on:
           the generated files.
 
 
+permissions:
+  contents: write
+
 jobs:
 
   update-lockfiles: