diff --git a/.github/workflows/create-release-and-publish.yml b/.github/workflows/create-release-and-publish.yml
index 2c8c4b2a9..3d5ca2293 100644
--- a/.github/workflows/create-release-and-publish.yml
+++ b/.github/workflows/create-release-and-publish.yml
@@ -2,6 +2,9 @@ name: Create Release & Publish To Maven Central
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   create-release-and-publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/create-release-candidate.yml b/.github/workflows/create-release-candidate.yml
index d38170d97..1c5ccdd16 100644
--- a/.github/workflows/create-release-candidate.yml
+++ b/.github/workflows/create-release-candidate.yml
@@ -11,6 +11,10 @@ on:
           - minor
           - patch
           - major
+
+permissions:
+  contents: read
+
 jobs:
   update-version:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/github-conventions.yaml b/.github/workflows/github-conventions.yaml
index e6ba4df62..e5c58e50c 100644
--- a/.github/workflows/github-conventions.yaml
+++ b/.github/workflows/github-conventions.yaml
@@ -5,6 +5,10 @@ on:
       - opened
       - edited
       - synchronize
+
+permissions:
+  contents: read
+
 jobs:
   verify:
     name: Verify
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index 33a540e6f..03abb160f 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
     types: [ opened, synchronize ]
 
+permissions:
+  contents: read
+
 jobs:
   run-tests:
     runs-on: ubuntu-latest