diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 2c272bc92..744e06077 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -24,6 +24,10 @@ on:
   schedule:
     - cron: '45 10 * * 1'
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index acee9225b..8070504e0 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -21,6 +21,9 @@ on:
   pull_request:
     branches: [ main, development ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml
index 859f7cfbb..894867f69 100644
--- a/.github/workflows/verify-k8s.yml
+++ b/.github/workflows/verify-k8s.yml
@@ -17,6 +17,9 @@ name: Verify-K8s
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   verify-k8s-manifests:
     name: k8s manifest check
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index d220539f4..0c7185e5e 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -17,6 +17,9 @@ name: Verify
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     name: license boilerplate check