diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml
index 9cbc16476..8ab28d0ab 100644
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions:
+  contents: read
+  
 jobs:
 
   conformance:
diff --git a/.github/workflows/go-build.yaml b/.github/workflows/go-build.yaml
index 46d84d519..1fc6514cc 100644
--- a/.github/workflows/go-build.yaml
+++ b/.github/workflows/go-build.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions:
+  contents: read
+  
 jobs:
 
   build:
diff --git a/.github/workflows/go-format.yaml b/.github/workflows/go-format.yaml
index d4e326ff1..ea5e50ae3 100644
--- a/.github/workflows/go-format.yaml
+++ b/.github/workflows/go-format.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions:
+  contents: read
+  
 jobs:
 
   format:
diff --git a/.github/workflows/go-lint.yaml b/.github/workflows/go-lint.yaml
index 6f130b7ec..757dccf77 100644
--- a/.github/workflows/go-lint.yaml
+++ b/.github/workflows/go-lint.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions:
+  contents: read
+  
 jobs:
 
   lint:
diff --git a/.github/workflows/go-unit-test.yaml b/.github/workflows/go-unit-test.yaml
index 81ace5075..242c6e58a 100644
--- a/.github/workflows/go-unit-test.yaml
+++ b/.github/workflows/go-unit-test.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions:
+  contents: read
+  
 jobs:
 
   test:
diff --git a/.github/workflows/inclusive.yaml b/.github/workflows/inclusive.yaml
index 03c23e51e..9c15694a0 100644
--- a/.github/workflows/inclusive.yaml
+++ b/.github/workflows/inclusive.yaml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions:
+  contents: read
+  
 jobs:
 
   language:
diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
index 7b7ffeb99..e38f7f3b1 100644
--- a/.github/workflows/integration.yaml
+++ b/.github/workflows/integration.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions:
+  contents: read
+  
 jobs:
 
   integration:
diff --git a/.github/workflows/observability.yaml b/.github/workflows/observability.yaml
index 756e2f7bd..9e1a49af3 100644
--- a/.github/workflows/observability.yaml
+++ b/.github/workflows/observability.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions:
+  contents: read
+  
 jobs:
 
   observability:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e371d29da..23217319e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,6 +5,9 @@ on:
     branches:
       - release-*
 
+permissions:  
+  contents: read
+
 jobs:
   semver:
     name: Calculate Next Release
@@ -28,6 +31,8 @@ jobs:
           echo "::set-output name=next::$NEXT"
 
   mainmodule:
+    permissions:
+      contents: write
     name: Release Main Module
     runs-on: ubuntu-latest
     needs: semver
@@ -45,6 +50,8 @@ jobs:
           prerelease: false
 
   submodules:
+    permissions:
+      contents: write
     name: Release Sub-Modules
     runs-on: ubuntu-latest
     needs:
@@ -78,6 +85,8 @@ jobs:
         run: ./hack/tag-release.sh --tag --push
 
   examples:
+    permissions:
+      contents: write 
     name: Update Examples
     runs-on: ubuntu-latest
     needs: