diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml
index f0f632d50..7e5f8a5c8 100644
--- a/.github/workflows/cs.yml
+++ b/.github/workflows/cs.yml
@@ -13,10 +13,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   actionlint: #----------------------------------------------------------------------
     name: 'Check GHA workflows'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     steps:
       - name: Checkout code
@@ -41,6 +47,8 @@ jobs:
   phpcs: #----------------------------------------------------------------------
     name: 'PHPCS'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     steps:
       - name: Checkout code
diff --git a/.github/workflows/label-merge-conflicts.yml b/.github/workflows/label-merge-conflicts.yml
index e3518a36f..f2dbe3c53 100644
--- a/.github/workflows/label-merge-conflicts.yml
+++ b/.github/workflows/label-merge-conflicts.yml
@@ -13,10 +13,16 @@ on:
       - synchronize
       - reopened
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   check-prs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'WordPress'
+    permissions:
+      pull-requests: write # Needed to add and remove labels on the PR.
 
     name: Check PRs for merge conflicts
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 8db30b3c8..3f7bbfafc 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -13,9 +13,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   lint: #----------------------------------------------------------------------
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     strategy:
       matrix:
diff --git a/.github/workflows/quicktest.yml b/.github/workflows/quicktest.yml
index 97e275cc3..92f055a07 100644
--- a/.github/workflows/quicktest.yml
+++ b/.github/workflows/quicktest.yml
@@ -13,11 +13,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   #### QUICK TEST STAGE ####
   # Runs the tests against select PHP versions for pushes to arbitrary branches.
   quicktest:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     strategy:
       matrix:
diff --git a/.github/workflows/reusable-update-cacert.yml b/.github/workflows/reusable-update-cacert.yml
index 9ea93edfe..ad04bf4c8 100644
--- a/.github/workflows/reusable-update-cacert.yml
+++ b/.github/workflows/reusable-update-cacert.yml
@@ -3,11 +3,19 @@ name: Certificates
 on:
   workflow_call:
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   certificate-check:
     name: "Check for updated certificate bundle"
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: write      # Needed to push commits to a branch in the repo.
+      pull-requests: write # Needed to create a PR.
+
     steps:
       - name: Determine branches to use
         id: branches
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d534d57f6..0999b9199 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,10 +14,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   #### TEST STAGE ####
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     strategy:
       # Keys:
diff --git a/.github/workflows/update-cacert-cron.yml b/.github/workflows/update-cacert-cron.yml
index b37d842e0..b263b73a2 100644
--- a/.github/workflows/update-cacert-cron.yml
+++ b/.github/workflows/update-cacert-cron.yml
@@ -11,9 +11,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   certificate-check:
     # Don't run the cron job on forks.
     if: ${{ github.event.repository.fork == false }}
+    permissions:
+      contents: write      # Needed to push commits to a branch in the repo.
+      pull-requests: write # Needed to create a PR.
 
     uses: ./.github/workflows/reusable-update-cacert.yml
diff --git a/.github/workflows/update-cacert.yml b/.github/workflows/update-cacert.yml
index b3e600923..6439c4fab 100644
--- a/.github/workflows/update-cacert.yml
+++ b/.github/workflows/update-cacert.yml
@@ -24,6 +24,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   certificate-check:
+    permissions:
+      contents: write      # Needed to push commits to a branch in the repo.
+      pull-requests: write # Needed to create a PR.
+
     uses: ./.github/workflows/reusable-update-cacert.yml
diff --git a/.github/workflows/update-website.yml b/.github/workflows/update-website.yml
index 5bcca3e97..b9ff2e21e 100644
--- a/.github/workflows/update-website.yml
+++ b/.github/workflows/update-website.yml
@@ -21,9 +21,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  pull-requests: write
-  contents: write
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
 
 jobs:
   prepare:
@@ -32,6 +32,9 @@ jobs:
     if: github.repository == 'WordPress/Requests'
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
+
     steps:
       # By default use the `stable` branch as the published docs should always
       # reflect the latest release.
@@ -91,6 +94,10 @@ jobs:
     if: github.repository == 'WordPress/Requests'
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: write      # Needed to push commits to a branch in the repo.
+      pull-requests: write # Needed to create a PR.
+
     steps:
       # PRs based on the "pull request" event trigger will contain changes from the
       # current `develop` branch, so should not be published as the website should