diff --git a/.github/workflows/maven_release.yml b/.github/workflows/maven_release.yml
index 492e90569..a27f14bd3 100644
--- a/.github/workflows/maven_release.yml
+++ b/.github/workflows/maven_release.yml
@@ -5,6 +5,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-latest-aurora-release-to-maven:
     name: 'Build And Release to Maven'
diff --git a/.github/workflows/maven_snapshot.yml b/.github/workflows/maven_snapshot.yml
index 998b1f913..77e6a87fb 100644
--- a/.github/workflows/maven_snapshot.yml
+++ b/.github/workflows/maven_snapshot.yml
@@ -6,6 +6,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-latest-aurora-snapshot-to-maven:
     name: 'Build And Upload Snapshot to Maven'
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 00ddf0d97..570f7b4af 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -11,6 +11,9 @@ concurrency:
   group: environment-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-latest-aurora-run-community-tests:
     name: 'Run Community Tests'
diff --git a/.github/workflows/remove-old-artifacts.yml b/.github/workflows/remove-old-artifacts.yml
index 11e87980b..ed9ff6836 100644
--- a/.github/workflows/remove-old-artifacts.yml
+++ b/.github/workflows/remove-old-artifacts.yml
@@ -5,6 +5,9 @@ on:
     # Every day at 1am
     - cron: '0 1 * * *'
 
+permissions:
+  actions: write
+
 jobs:
   remove-old-artifacts:
     runs-on: ubuntu-latest