diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 493dc97c82..74b5266d5f 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -5,10 +5,14 @@ on:
       - closed
       - labeled
 
+permissions: {}
+
 jobs:
   backport:
     runs-on: ubuntu-20.04
     name: Backport
+    permissions: 
+      contents: write
     steps:
       - name: Backport Bot
         if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( join( github.event.pull_request.labels.*.name ), 'backport') ) || contains( github.event.label.name, 'backport' ) )
diff --git a/.github/workflows/ci_test.yml b/.github/workflows/ci_test.yml
index 12e1834b36..4e97e5dd6c 100644
--- a/.github/workflows/ci_test.yml
+++ b/.github/workflows/ci_test.yml
@@ -10,6 +10,9 @@ on:
       - master
       - r*
 
+permissions:
+  contents: read
+
 jobs:
   flake8-test:
     name: Flake8
diff --git a/.github/workflows/notify_codeowners.yml b/.github/workflows/notify_codeowners.yml
index 23637f8199..dbd9de26f6 100644
--- a/.github/workflows/notify_codeowners.yml
+++ b/.github/workflows/notify_codeowners.yml
@@ -5,6 +5,9 @@ on:
     types: [opened]
 
 
+permissions:
+  contents: read
+
 jobs:
   notify-codeowners:
     name: Notify codeowners
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index 9158d7a856..6f0c3a74de 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -6,8 +6,14 @@ on:
       - master
       - r*
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: write  # for release-drafter/release-drafter to add label to PR
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@74e7c423dafbb406c9c18b1638334f67a7c891c3 # Version 5.7.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aae080daff..3388370231 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,9 @@ on:
       - master
       - r*
 
+permissions:
+  contents: read
+
 env:
   MIN_PY_VERSION: '3.9'
   MAX_PY_VERSION: '3.11'
diff --git a/.github/workflows/validate_codeowners.yml b/.github/workflows/validate_codeowners.yml
index e40a62f598..53be277148 100644
--- a/.github/workflows/validate_codeowners.yml
+++ b/.github/workflows/validate_codeowners.yml
@@ -15,6 +15,9 @@ on:
 # Otherwise, it's useless, it just check the codeowners file from the latest commit in master
 
 
+permissions:
+  contents: read
+
 jobs:
   validate-codeowners:
     name: Check that the CODEOWNERS is valid