diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 13747aae..dddd0ad7 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -5,6 +5,9 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index bcd35e6e..83b471cf 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -3,6 +3,9 @@ name: "Label PRs"
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   label-pull-requests:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml
index 7b04a6b6..8d821ce6 100644
--- a/.github/workflows/mac.yml
+++ b/.github/workflows/mac.yml
@@ -1,6 +1,9 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   clang-build:
     runs-on: macOS-latest
diff --git a/.github/workflows/perf.yml b/.github/workflows/perf.yml
index ba87df9b..797039d7 100644
--- a/.github/workflows/perf.yml
+++ b/.github/workflows/perf.yml
@@ -1,6 +1,10 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   ubuntu-gcc-build-perf-stats:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 6fa2ed6b..caaa8562 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -5,6 +5,10 @@ on:
   pull_request:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/static-analysis-pr.yml b/.github/workflows/static-analysis-pr.yml
index 47479443..5adc8191 100644
--- a/.github/workflows/static-analysis-pr.yml
+++ b/.github/workflows/static-analysis-pr.yml
@@ -19,6 +19,10 @@ concurrency:
         github.event_name != 'merge_group' &&
         !startsWith(github.ref, 'refs/heads/gh-readonly-queue') }}
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   clang-tidy:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
index 598e3671..8fd201aa 100644
--- a/.github/workflows/ubuntu.yml
+++ b/.github/workflows/ubuntu.yml
@@ -1,6 +1,10 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   gcc-build:
     runs-on: ${{ matrix.os }}
@@ -330,6 +334,11 @@ jobs:
       - gcc-test-extended
       - clang-test-extended
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+      issues: write
+      pull-requests: write
     container:
       image: ghcr.io/learning-process/ppc-ubuntu:1.1
       credentials:
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index eb067fb0..899c21bb 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -1,6 +1,9 @@
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   msvc-build:
     runs-on: windows-latest