diff --git a/.github/workflows/build-distribution.yml b/.github/workflows/build-distribution.yml
index fd3e11ed7..ba8497e0c 100644
--- a/.github/workflows/build-distribution.yml
+++ b/.github/workflows/build-distribution.yml
@@ -3,6 +3,9 @@ name: build-distribution
 on:
   workflow_call: ~
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/packages.yml b/.github/workflows/packages.yml
index f2d9a4f83..3f63467fe 100644
--- a/.github/workflows/packages.yml
+++ b/.github/workflows/packages.yml
@@ -13,6 +13,9 @@ on:
       - '**/*.md'
       - '**/*.asciidoc'
 
+permissions:
+  contents: read
+
 # Override the version if there is no tag release.
 env:
   ELASTIC_CI_POST_VERSION: ${{ startsWith(github.ref, 'refs/tags') && '' || github.run_id }}
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 65947d33b..926c21be6 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-matrix.yml b/.github/workflows/run-matrix.yml
index 827212527..d5db311d6 100644
--- a/.github/workflows/run-matrix.yml
+++ b/.github/workflows/run-matrix.yml
@@ -8,6 +8,9 @@ on:
         description: Matrix include JSON string
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     name: "docker (version: ${{ matrix.version }}, framework: ${{ matrix.framework }})"
diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml
index 4b0b7620d..1060771c5 100644
--- a/.github/workflows/test-reporter.yml
+++ b/.github/workflows/test-reporter.yml
@@ -8,6 +8,11 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+  actions: read
+  checks: write
+
 jobs:
   report:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4638ab5d3..cae9a846e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,6 +30,9 @@ on:
         required: true
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   build-distribution:
     uses: ./.github/workflows/build-distribution.yml