diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index b3c1e10584a0..7ce63082641d 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -33,9 +33,12 @@ on:
     paths:
       - "**/Cargo.toml"
       - "**/Cargo.lock"
-  
+
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   security_audit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
index 3b2cc243d496..ef175de2aa29 100644
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@@ -37,6 +37,9 @@ on:
   # https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   depcheck:
     name: circular dependency check
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 55e8572408ef..defc0e937d09 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -85,7 +85,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
-      # Version fixed on purpose. It uses heuristics to detect typos, so upgrading 
+      # Version fixed on purpose. It uses heuristics to detect typos, so upgrading
       # it may cause checks to fail more often.
       # We can upgrade it manually once a while.
       - name: Install typos-cli
diff --git a/.github/workflows/docs_pr.yaml b/.github/workflows/docs_pr.yaml
index dab81fd6452d..4b8d25b0611e 100644
--- a/.github/workflows/docs_pr.yaml
+++ b/.github/workflows/docs_pr.yaml
@@ -33,8 +33,10 @@ on:
   # https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
-  
   # Test doc build
   linux-test-doc-build:
     name: Test doc build
diff --git a/.github/workflows/large_files.yml b/.github/workflows/large_files.yml
index 12a559918921..746d201da2eb 100644
--- a/.github/workflows/large_files.yml
+++ b/.github/workflows/large_files.yml
@@ -25,6 +25,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   check-files:
     runs-on: ubuntu-slim