diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index df4604133..10ee77ff1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -4,6 +4,10 @@ on:
   schedule:
     - cron: '0 0 * * 4'
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   CodeQL-Build:
 
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index 5de1d1fe2..77b7c11f3 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -5,11 +5,12 @@ on:
     branches:
       - 'sdk-automation/models'
 
+permissions:
+  contents: write
+
 jobs:
   format:
     if: ${{ github.event.commits != null && !startsWith(github.event.head_commit.message, 'style(fmt)') }}
-    permissions:
-      contents: write
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/javaci.yml b/.github/workflows/javaci.yml
index 662c501e6..f9430085c 100644
--- a/.github/workflows/javaci.yml
+++ b/.github/workflows/javaci.yml
@@ -11,6 +11,9 @@ on:
       - promote/main
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   java-check:
     name: Java Code Check
diff --git a/.github/workflows/label_new_issues.yml b/.github/workflows/label_new_issues.yml
index 18c7d92f5..20c7c19fb 100644
--- a/.github/workflows/label_new_issues.yml
+++ b/.github/workflows/label_new_issues.yml
@@ -3,6 +3,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  issues: write
+
 jobs:
   add-label:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3ae81d7d5..5f66e2ba2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 80b2a6cd0..f36d94014 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,12 +20,13 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release:
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
-    permissions:
-      contents: write
-      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 52bc65c37..31c6de996 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: '30 8 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest