diff --git a/.github/workflows/ci-prb.yml b/.github/workflows/ci-prb.yml
index 55bf1c3a..f2ec1bc4 100644
--- a/.github/workflows/ci-prb.yml
+++ b/.github/workflows/ci-prb.yml
@@ -1,4 +1,6 @@
 name: PR Builder
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [ main ]
diff --git a/.github/workflows/ci-release-javadocs.yml b/.github/workflows/ci-release-javadocs.yml
index 90d1b5db..d578bb42 100644
--- a/.github/workflows/ci-release-javadocs.yml
+++ b/.github/workflows/ci-release-javadocs.yml
@@ -1,10 +1,9 @@
 name: Javadoc Builder
+permissions:
+  contents: read
 on:
   release:
     types: [published]
-permissions:
-  pages: write
-  id-token: write
 jobs:
   build:
     name: Javadoc Builder
@@ -29,6 +28,9 @@ jobs:
         with:
           path: build/docs/javadoc
   deploy:
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index 06e581f7..4acf54cf 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -1,4 +1,6 @@
 name: Release Builder
+permissions:
+  contents: read
 on:
   release:
     types: [published]
diff --git a/.github/workflows/ci-snapshot.yml b/.github/workflows/ci-snapshot.yml
index bba2a541..7fd8278b 100644
--- a/.github/workflows/ci-snapshot.yml
+++ b/.github/workflows/ci-snapshot.yml
@@ -1,4 +1,6 @@
 name: Snapshot Builder
+permissions:
+  contents: read
 on:
   push:
     branches: [ main ]
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
index 5ea5aa89..f60cf646 100644
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@@ -1,4 +1,6 @@
 name: "Validate Gradle Wrapper"
+permissions:
+  contents: read
 on: [push, pull_request]
 
 jobs: