diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index aae01cddc..9da861c57 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -10,6 +10,11 @@ on:
   schedule:
     - cron: '0 13 * * 5'
 
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+
 jobs:
   CodeQL-Build:
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 836c32357..89add8820 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,10 @@ name: Release
       - next
       - beta
       - "*.x"
+
+permissions:
+  contents: read
+
 jobs:
   release:
     name: release
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4e6a72562..a462c85a8 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,6 +8,10 @@ name: Test
     types:
       - opened
       - synchronize
+
+permissions:
+  contents: read
+
 jobs:
   test_matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-prettier.yml b/.github/workflows/update-prettier.yml
index ba5d3ba4e..e5c37af84 100644
--- a/.github/workflows/update-prettier.yml
+++ b/.github/workflows/update-prettier.yml
@@ -3,6 +3,10 @@ name: Update Prettier
   push:
     branches:
       - renovate/prettier-*
+
+permissions:
+  contents: read
+
 jobs:
   update_prettier:
     runs-on: ubuntu-latest