diff --git a/.github/workflows/check-version-bump.yaml b/.github/workflows/check-version-bump.yaml
index ed26924..50efbe8 100644
--- a/.github/workflows/check-version-bump.yaml
+++ b/.github/workflows/check-version-bump.yaml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   check-version-bump:
     name: Enforce version bump when src/ is modified
diff --git a/.github/workflows/commit-validation.yaml b/.github/workflows/commit-validation.yaml
index da5b880..4423ffd 100644
--- a/.github/workflows/commit-validation.yaml
+++ b/.github/workflows/commit-validation.yaml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   commit-validation:
     runs-on: ${{ contains(github.server_url, 'github.com') && 'ubuntu-latest' || fromJSON('["self-hosted"]') }}
diff --git a/.github/workflows/proto-verify.yaml b/.github/workflows/proto-verify.yaml
index 49c454b..28e3e16 100644
--- a/.github/workflows/proto-verify.yaml
+++ b/.github/workflows/proto-verify.yaml
@@ -15,6 +15,9 @@ on:
       - 'src/sap_cloud_sdk/core/auditlog_ng/proto/**'
       - 'Makefile'
 
+permissions:
+  contents: read
+
 jobs:
   verify-proto:
     name: Verify generated proto code is up-to-date
diff --git a/.github/workflows/release-internal.yml b/.github/workflows/release-internal.yml
index fcf1fb5..4144281 100644
--- a/.github/workflows/release-internal.yml
+++ b/.github/workflows/release-internal.yml
@@ -6,6 +6,9 @@ on:
       - main
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Publish to Artifactory
diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
index 6cc1a0d..009346f 100644
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@@ -8,6 +8,9 @@ on:
     branches:
       - "main"
 
+permissions:
+  contents: read
+
 jobs:
   check-reuse-compliance:
     runs-on: ${{ contains(github.server_url, 'github.com') && 'ubuntu-latest' || fromJSON('["self-hosted"]') }}
diff --git a/.github/workflows/sync.yaml b/.github/workflows/sync.yaml
index 0ecd02b..2f23b60 100644
--- a/.github/workflows/sync.yaml
+++ b/.github/workflows/sync.yaml
@@ -5,6 +5,9 @@ on:
     - cron: '0 */3 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   sync:
     runs-on: ["self-hosted"]