diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
index 3a5b1f0142..e63bf7c940 100644
--- a/.github/workflows/bump-version.yml
+++ b/.github/workflows/bump-version.yml
@@ -33,8 +33,13 @@ on:
         description: 'Perform a dry run to check'
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   bump-version:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     if: github.repository == 'scikit-hep/pyhf'
 
diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml
index 696fadc5a4..0dbef41600 100644
--- a/.github/workflows/ci-windows.yml
+++ b/.github/workflows/ci-windows.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 82a92e10fb..9c7f5dcdfe 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 7d680f58d3..507b0c7808 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -15,8 +15,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     name: Analyze
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/dependencies-head.yml b/.github/workflows/dependencies-head.yml
index 849cf6fea4..feaf00a5ec 100644
--- a/.github/workflows/dependencies-head.yml
+++ b/.github/workflows/dependencies-head.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   release-candidates:
 
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 484c9400fe..578377650b 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     name: Build, test, and publish Docker images to Docker Hub
diff --git a/.github/workflows/lower-bound-requirements.yml b/.github/workflows/lower-bound-requirements.yml
index 9d8490137e..87305d10a8 100644
--- a/.github/workflows/lower-bound-requirements.yml
+++ b/.github/workflows/lower-bound-requirements.yml
@@ -6,6 +6,9 @@ on:
   - cron:  '1 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
diff --git a/.github/workflows/merged.yml b/.github/workflows/merged.yml
index 3923caaffe..cce0e42670 100644
--- a/.github/workflows/merged.yml
+++ b/.github/workflows/merged.yml
@@ -5,6 +5,9 @@ on:
     types: [closed]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   binder:
     name: Trigger Binder build
diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml
index 8278f2abdc..50580dfa86 100644
--- a/.github/workflows/notebooks.yml
+++ b/.github/workflows/notebooks.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index bea7e22c7e..7f798b3616 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -25,6 +25,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build Python distribution
diff --git a/.github/workflows/release_tests.yml b/.github/workflows/release_tests.yml
index 2d3f2e8bd5..46df16d3f3 100644
--- a/.github/workflows/release_tests.yml
+++ b/.github/workflows/release_tests.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   pypi_release:
diff --git a/.github/workflows/semantic-pr-check.yml b/.github/workflows/semantic-pr-check.yml
index 143ec8377e..f7f0d13283 100644
--- a/.github/workflows/semantic-pr-check.yml
+++ b/.github/workflows/semantic-pr-check.yml
@@ -11,9 +11,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   main:
 
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Validate PR title
     runs-on: ubuntu-latest