diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 600a98c2..76f36d77 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,4 +1,11 @@
 version: 2
+
+permissions:
+  pull-requests: write
+  security-events: write
+  contents: read
+  actions: read
+
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
diff --git a/.github/workflows/aks-addon-tests.yml b/.github/workflows/aks-addon-tests.yml
index e327ab57..a3b6e40a 100644
--- a/.github/workflows/aks-addon-tests.yml
+++ b/.github/workflows/aks-addon-tests.yml
@@ -20,6 +20,8 @@ env:
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: read # This is required for actions/checkout
+  actions: read #This is required for reading environment variables
+  deployments: read #This is required for reading deployment status
 
 jobs:
   aks-addon-e2e-tests:
diff --git a/.github/workflows/chart.yml b/.github/workflows/chart.yml
index cf6b040a..79735c18 100644
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -9,6 +9,9 @@ on:
 
 permissions:
   contents: write
+  actions: read
+  deployments: read
+  contents: read
 
 jobs:
   publish-helm-chart:
diff --git a/.github/workflows/create-release-pull-request.yml b/.github/workflows/create-release-pull-request.yml
index 9807dab8..50bfbb32 100644
--- a/.github/workflows/create-release-pull-request.yml
+++ b/.github/workflows/create-release-pull-request.yml
@@ -14,6 +14,8 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  actions: read
+  deployments: read
 
 jobs:
   create-release-pull-request:
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index 3c1c0ad7..18beb649 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -10,7 +10,9 @@ on:
 permissions:
   contents: write
   packages: write
-
+  actions: read
+  deployments: read
+  pull-requests: read
 
 env:
   REGISTRY: ghcr.io
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 40e062f6..6436786c 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -20,8 +20,10 @@ env:
   E2E_IMG_TAG: "e2e-ci"
 
 permissions:
-   id-token: write
-   contents: read
+  id-token: write
+  contents: read
+  actions: read
+  deployments: read
 
 jobs:
   e2e-tests:
diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml
index 92c43898..9317948a 100644
--- a/.github/workflows/markdown-link-check.yml
+++ b/.github/workflows/markdown-link-check.yml
@@ -6,6 +6,11 @@ on:
       - '**.md'
       - 'docs/**'
 
+permissions:
+  contents: read
+  actions: read
+  deployments: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-title-lint.yml b/.github/workflows/pr-title-lint.yml
index baeb05a2..2891edfc 100644
--- a/.github/workflows/pr-title-lint.yml
+++ b/.github/workflows/pr-title-lint.yml
@@ -8,6 +8,11 @@ on:
       - labeled
       - unlabeled
 
+permissions:
+  contents: read
+  actions: read
+  deployments: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 015e55b2..6e1f064f 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -18,6 +18,12 @@ env:
   # Common versions
   GO_VERSION: '1.20'
 
+permissions:
+  pull-requests: write
+  contents: read
+  actions: read
+  deployments: read
+
 jobs:
   unit-tests:
     runs-on: ubuntu-20.04