diff --git a/.github/workflows/addToProject.yml b/.github/workflows/addToProject.yml
index 0a3b76924..d8ad56370 100644
--- a/.github/workflows/addToProject.yml
+++ b/.github/workflows/addToProject.yml
@@ -6,6 +6,9 @@ on:
 env:
   MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   assign_one_project:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-distribution.yml b/.github/workflows/build-distribution.yml
index 986632acd..1a95317ca 100644
--- a/.github/workflows/build-distribution.yml
+++ b/.github/workflows/build-distribution.yml
@@ -3,6 +3,9 @@ name: build-distribution
 on:
   workflow_call: ~
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index df219658c..6fd34136c 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -6,6 +6,9 @@ on:
     types: [opened]
 env:
   MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }}
+permissions:
+  contents: read
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/packages.yml b/.github/workflows/packages.yml
index 148110c7f..0162704e8 100644
--- a/.github/workflows/packages.yml
+++ b/.github/workflows/packages.yml
@@ -13,6 +13,9 @@ on:
       - '**/*.md'
       - '**/*.asciidoc'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index c2f7e71fc..98c8395eb 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run-matrix.yml b/.github/workflows/run-matrix.yml
index 811f68dd9..a89661ee1 100644
--- a/.github/workflows/run-matrix.yml
+++ b/.github/workflows/run-matrix.yml
@@ -8,6 +8,9 @@ on:
         description: Matrix include JSON string
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     name: "docker (version: ${{ matrix.version }}, framework: ${{ matrix.framework }})"
diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml
index 4b0b7620d..a5a68b9ec 100644
--- a/.github/workflows/test-reporter.yml
+++ b/.github/workflows/test-reporter.yml
@@ -8,6 +8,10 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   report:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b57b8a023..96b8f1ee4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,6 +30,9 @@ on:
         required: true
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   build-distribution:
     uses: ./.github/workflows/build-distribution.yml