diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index acbce7006..be2a9feef 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,6 +10,9 @@ on:
       - main
       - 'release/**'
 
+permissions:
+  contents: read
+
 jobs:
   test-linux-amd64:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-latest-release.yml b/.github/workflows/check-latest-release.yml
index 9f9403586..520ed73b6 100644
--- a/.github/workflows/check-latest-release.yml
+++ b/.github/workflows/check-latest-release.yml
@@ -5,6 +5,9 @@ on:
     - cron: 0 2 * * 1,4
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   check-release:
     runs-on:
diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index 923d75536..c8b6809e8 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -3,6 +3,9 @@ name: draft-release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   draft-release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
index 8d8f9098f..dbf4e9a45 100644
--- a/.github/workflows/post-release.yml
+++ b/.github/workflows/post-release.yml
@@ -5,6 +5,9 @@ on:
     types:
       - published # trigger for releases and pre-releases
 
+permissions:
+  contents: read
+
 jobs:
   retag-lifecycle-images:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-s390x.yml b/.github/workflows/test-s390x.yml
index 6fcce86a0..bfe76e01a 100644
--- a/.github/workflows/test-s390x.yml
+++ b/.github/workflows/test-s390x.yml
@@ -9,6 +9,9 @@ on:
       - main
       - 'release/**'
 
+permissions:
+  contents: read
+
 jobs:
   test-linux-s390x:
     if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/release*')