diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ab417a0b0..1bf2b13aa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,10 @@ on:
       - main
       - releases/*
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   # Is it the official main branch, or an official release branches?
diff --git a/.github/workflows/conventions.yml b/.github/workflows/conventions.yml
index 20c9acd10..9cb879be2 100644
--- a/.github/workflows/conventions.yml
+++ b/.github/workflows/conventions.yml
@@ -3,6 +3,10 @@ name: Conventions
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  actions: read
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index c6e39cc48..eed46300f 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -22,6 +22,10 @@ on:
         required: false
         description: The Vercel token. Required if 'publish_target' is set.
 
+permissions:
+  contents: read
+  actions: read
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/nightly-throughput-stress.yml b/.github/workflows/nightly-throughput-stress.yml
index cf13625e1..6b892caf9 100644
--- a/.github/workflows/nightly-throughput-stress.yml
+++ b/.github/workflows/nightly-throughput-stress.yml
@@ -25,6 +25,10 @@ on:
         default: 360
         type: number
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   # Workflow configuration
   TEST_DURATION: ${{ inputs.duration || vars.NIGHTLY_TEST_DURATION || '5h' }}
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 64b6c2711..df1d0d406 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -6,6 +6,10 @@ on:
     - cron: '00 08 * * *'
     # (1 AM PST)
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   nightly:
     uses: ./.github/workflows/stress.yml
diff --git a/.github/workflows/omes.yml b/.github/workflows/omes.yml
index 02dd5bea6..72d933963 100644
--- a/.github/workflows/omes.yml
+++ b/.github/workflows/omes.yml
@@ -6,6 +6,10 @@ on:
       - main
       - 'releases/*'
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   omes-image-build:
     uses: temporalio/omes/.github/workflows/docker-images.yml@main
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 38ba0f02e..f32bd35be 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,10 @@ on:
       - main
       - 'releases/*'
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   # Is it the official main branch, or an official release branches?
diff --git a/.github/workflows/stress.yml b/.github/workflows/stress.yml
index 43006263d..e8dce3896 100644
--- a/.github/workflows/stress.yml
+++ b/.github/workflows/stress.yml
@@ -38,6 +38,10 @@ on:
         required: true
         type: boolean
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   TEMPORAL_TESTING_LOG_DIR: /tmp/worker-logs
   TEMPORAL_TESTING_MEM_LOG_DIR: /tmp/worker-mem-logs