diff --git a/.github/workflows/build-events.yml b/.github/workflows/build-events.yml
index 624f96d6..539e2b3c 100644
--- a/.github/workflows/build-events.yml
+++ b/.github/workflows/build-events.yml
@@ -10,6 +10,9 @@ on:
       - "lambda-events/**"
       - "Cargo.toml"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-extension.yml b/.github/workflows/build-extension.yml
index f823dbb4..2d8ac011 100644
--- a/.github/workflows/build-extension.yml
+++ b/.github/workflows/build-extension.yml
@@ -16,6 +16,9 @@ on:
       - 'Cargo.toml'
 
 
+permissions:
+  contents: read
+
 jobs:
   build-runtime:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-integration-test.yml b/.github/workflows/build-integration-test.yml
index dd9bd68f..c7fa4f8f 100644
--- a/.github/workflows/build-integration-test.yml
+++ b/.github/workflows/build-integration-test.yml
@@ -17,6 +17,9 @@ on:
       - 'lambda-extension/**'
       - 'Cargo.toml'
 
+permissions:
+  contents: read
+
 jobs:
   build-runtime:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-runtime.yml b/.github/workflows/build-runtime.yml
index 0327bd34..288ede1a 100644
--- a/.github/workflows/build-runtime.yml
+++ b/.github/workflows/build-runtime.yml
@@ -15,6 +15,9 @@ on:
       - 'lambda-http/**'
       - 'Cargo.toml'
 
+permissions:
+  contents: read
+
 jobs:
   build-runtime:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml
index 4e26c31c..d452f857 100644
--- a/.github/workflows/check-docs.yml
+++ b/.github/workflows/check-docs.yml
@@ -21,6 +21,9 @@ on:
       - 'lambda-extension/**'
       - 'Cargo.toml'
 
+permissions:
+  contents: read
+
 jobs:
   build-runtime:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-examples.yml b/.github/workflows/check-examples.yml
index 5ef1536a..ef2b89d5 100644
--- a/.github/workflows/check-examples.yml
+++ b/.github/workflows/check-examples.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml
index 2a73fe92..d471b36b 100644
--- a/.github/workflows/closed-issue-message.yml
+++ b/.github/workflows/closed-issue-message.yml
@@ -2,6 +2,9 @@ name: Closed Issue Message
 on:
     issues:
        types: [closed]
+permissions:
+  issues: write
+
 jobs:
     auto_comment:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index 10f8c75f..c7288890 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -2,6 +2,9 @@ name: Formatting and Linting
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   fmt:
     name: Cargo fmt
diff --git a/.github/workflows/test-rie.yml b/.github/workflows/test-rie.yml
index 5d777e2d..0609b80f 100644
--- a/.github/workflows/test-rie.yml
+++ b/.github/workflows/test-rie.yml
@@ -6,6 +6,9 @@ on:
   push:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   test-rie:
     runs-on: ubuntu-latest