diff --git a/.github/workflows/angular.azure.web.app.deploy.yml b/.github/workflows/angular.azure.web.app.deploy.yml
index 6ebcf7f1..b9b96b6a 100644
--- a/.github/workflows/angular.azure.web.app.deploy.yml
+++ b/.github/workflows/angular.azure.web.app.deploy.yml
@@ -11,6 +11,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   azure-web-app:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/angular.azure.web.static.deploy.yml b/.github/workflows/angular.azure.web.static.deploy.yml
index ed9936a8..3a169322 100644
--- a/.github/workflows/angular.azure.web.static.deploy.yml
+++ b/.github/workflows/angular.azure.web.static.deploy.yml
@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: Azure Static Site Deploy
 
 on:
diff --git a/.github/workflows/angular.build.yml b/.github/workflows/angular.build.yml
index 9a3f7a89..0ccc6c44 100644
--- a/.github/workflows/angular.build.yml
+++ b/.github/workflows/angular.build.yml
@@ -12,6 +12,10 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   build:
     runs-on: ${{ inputs.runs-on }}
diff --git a/.github/workflows/angular.docker.yml b/.github/workflows/angular.docker.yml
index aef2fced..7a5dfedf 100644
--- a/.github/workflows/angular.docker.yml
+++ b/.github/workflows/angular.docker.yml
@@ -1,5 +1,10 @@
 name: Docker Deploy
 
+permissions:
+  contents: read
+  packages: write
+  actions: write
+
 on:
   workflow_call:
     inputs:
@@ -25,6 +30,9 @@ env:
 jobs:
 
   docker:
+    permissions:
+      contents: read
+      packages: write
     environment:
       name: DockerHub
       url: https://hub.docker.com/r/${{ inputs.dockerhub-username }}/${{ github.event.repository.name }}
@@ -50,6 +58,9 @@ jobs:
           images: ${{ inputs.dockerhub-username }}/${{ github.event.repository.name }}
 
   docker-ghcr:
+    permissions:
+      contents: read
+      packages: write
     environment:
       name: GitHub Container Registry
       url: https://github.com/${{ github.event.repository.owner.login }}/${{ github.event.repository.name }}/pkgs/container/${{ github.event.repository.name }}
diff --git a/.github/workflows/angular.lint.yml b/.github/workflows/angular.lint.yml
index 62e40484..bf3f0759 100644
--- a/.github/workflows/angular.lint.yml
+++ b/.github/workflows/angular.lint.yml
@@ -3,6 +3,9 @@ name: Lint
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/angular.terraform.yml b/.github/workflows/angular.terraform.yml
index be69127c..d35264f0 100644
--- a/.github/workflows/angular.terraform.yml
+++ b/.github/workflows/angular.terraform.yml
@@ -1,5 +1,9 @@
 name: "Terraform"
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   workflow_call:
     outputs:
diff --git a/.github/workflows/angular.yml b/.github/workflows/angular.yml
index 9cdc701c..b808ccca 100644
--- a/.github/workflows/angular.yml
+++ b/.github/workflows/angular.yml
@@ -3,6 +3,9 @@ name: Angular
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: ⚒️
@@ -29,12 +32,17 @@ jobs:
     name: 🚀
     if: github.ref == 'refs/heads/main'
     needs: [build, test, lint]
+    permissions:
+      contents: read
+      pages: write
     uses: ./.github/workflows/angular.pages.deploy.yml
 
   docker:
     name: 🐳
     if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main'
     needs: [build]
+    permissions:
+      contents: read
     uses: ./.github/workflows/angular.docker.yml
     secrets: inherit
 
@@ -43,6 +51,8 @@ jobs:
     # skip until we get Azure working
     # if: 0
     needs: [docker, test, lint]
+    permissions:
+      contents: read
     uses: ./.github/workflows/angular.terraform.yml
     secrets: inherit
 
@@ -50,6 +60,9 @@ jobs:
     name: ☁️
     if: needs.terraform.outputs.api_key && github.ref == 'refs/heads/main'
     needs: [terraform]
+    permissions:
+      contents: read
+      deployments: write
     uses: ./.github/workflows/angular.azure.web.static.deploy.yml
     with:
       api_key: ${{ needs.terraform.outputs.api_key }}
@@ -69,4 +82,6 @@ jobs:
     name: 🚢
     if: startsWith(github.ref, 'refs/tags/')
     needs: [build, test, lint]
+    permissions:
+      contents: write
     uses: ./.github/workflows/angular.release.yml
diff --git a/.github/workflows/build-test-deploy.yml b/.github/workflows/build-test-deploy.yml
index 958dc298..bf1b5075 100644
--- a/.github/workflows/build-test-deploy.yml
+++ b/.github/workflows/build-test-deploy.yml
@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: CI/CD
 on:
   workflow_dispatch: