diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7d89a27967..888b54e28c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   hygiene-tests:
     name: Repository hygiene
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Job information
diff --git a/.github/workflows/dev-checks.yml b/.github/workflows/dev-checks.yml
index d02a1a9f65..40272763e1 100644
--- a/.github/workflows/dev-checks.yml
+++ b/.github/workflows/dev-checks.yml
@@ -1,4 +1,6 @@
 name: Developers environment checks
+permissions:
+  contents: read
 on:
   pull_request: # All
   push:
diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml
index e2cd2e2efc..6357953304 100644
--- a/.github/workflows/image-publish.yml
+++ b/.github/workflows/image-publish.yml
@@ -14,6 +14,8 @@ on:
       # be the one found in scripts/tag.sh.
       # [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet
       - "interuss/monitoring/v[0-9]+.[0-9]+.[0-9]+-?*"
+permissions:
+  contents: read
 jobs:
   docker-hub-push:
     name: Build and Push to Docker Hub
diff --git a/.github/workflows/monitoring-test.yml b/.github/workflows/monitoring-test.yml
index 2c91b75c3a..ac0d13086b 100644
--- a/.github/workflows/monitoring-test.yml
+++ b/.github/workflows/monitoring-test.yml
@@ -1,5 +1,9 @@
 name: 'Run a monitoring test (re-usable workflow)'
 
+# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs: