diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 1dab53dcb..29431204d 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,8 @@ on:
   schedule:
     - cron: "21 0 * * 2"
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
index d29d701ad..b1f69551c 100644
--- a/.github/workflows/pre-submit.actions.yml
+++ b/.github/workflows/pre-submit.actions.yml
@@ -5,6 +5,8 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   checkout:
     name: verify no checkout in Actions
diff --git a/.github/workflows/pre-submit.e2e.generic.default.yml b/.github/workflows/pre-submit.e2e.generic.default.yml
index a2778af4f..59dff6a05 100644
--- a/.github/workflows/pre-submit.e2e.generic.default.yml
+++ b/.github/workflows/pre-submit.e2e.generic.default.yml
@@ -5,6 +5,8 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions: read-all
+
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}