diff --git a/.github/workflows/build-presets.yml b/.github/workflows/build-presets.yml
index 37854aed174..94f1020a677 100644
--- a/.github/workflows/build-presets.yml
+++ b/.github/workflows/build-presets.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   apple:
     uses: pytorch/test-infra/.github/workflows/macos_job.yml@main
diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml
index b33c0a0ca49..14277d3dac2 100644
--- a/.github/workflows/cherry-pick.yml
+++ b/.github/workflows/cherry-pick.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [try-cherry-pick]
 
+permissions:
+  contents: read
+
 jobs:
   cherry-pick:
     name: cherry-pick-pr-${{ github.event.client_payload.pr_num }}
diff --git a/.github/workflows/ghstack_land.yml b/.github/workflows/ghstack_land.yml
index 09bd2a7ced4..84fde434331 100644
--- a/.github/workflows/ghstack_land.yml
+++ b/.github/workflows/ghstack_land.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - 'gh/*/[0-9]+/base'
 
+permissions:
+  contents: read
+
 jobs:
   ghstack_merge_to_main:
     name: Try to create a PR with ghstack /orig branch
diff --git a/.github/workflows/metal.yml b/.github/workflows/metal.yml
index de6507e035a..96fec343a48 100644
--- a/.github/workflows/metal.yml
+++ b/.github/workflows/metal.yml
@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-metal-builds:
     name: test-executorch-metal-build
diff --git a/.github/workflows/test-backend-arm.yml b/.github/workflows/test-backend-arm.yml
index 1918e8e72f8..40ac46a87d5 100644
--- a/.github/workflows/test-backend-arm.yml
+++ b/.github/workflows/test-backend-arm.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}--${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-arm:
     uses: ./.github/workflows/_test_backend.yml
diff --git a/.github/workflows/test-backend-coreml.yml b/.github/workflows/test-backend-coreml.yml
index 3a597685cfe..0a163ff43d1 100644
--- a/.github/workflows/test-backend-coreml.yml
+++ b/.github/workflows/test-backend-coreml.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}--${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-coreml:
     uses: ./.github/workflows/_test_backend.yml
diff --git a/.github/workflows/test-backend-openvino.yml b/.github/workflows/test-backend-openvino.yml
index a00589d06ae..3265049c85a 100644
--- a/.github/workflows/test-backend-openvino.yml
+++ b/.github/workflows/test-backend-openvino.yml
@@ -18,6 +18,9 @@ concurrency:
   group: ${{ github.workflow }}--${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-openvino:
     uses: ./.github/workflows/_test_backend.yml
diff --git a/.github/workflows/test-backend-qnn.yml b/.github/workflows/test-backend-qnn.yml
index a97ad87b1f9..1b7696051cf 100644
--- a/.github/workflows/test-backend-qnn.yml
+++ b/.github/workflows/test-backend-qnn.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}--${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-qnn:
     uses: ./.github/workflows/_test_backend.yml
diff --git a/.github/workflows/test-backend-vulkan.yml b/.github/workflows/test-backend-vulkan.yml
index 0461527b073..756bd661d66 100644
--- a/.github/workflows/test-backend-vulkan.yml
+++ b/.github/workflows/test-backend-vulkan.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}--${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-vulkan:
     uses: ./.github/workflows/_test_backend.yml
diff --git a/.github/workflows/test-backend-xnnpack.yml b/.github/workflows/test-backend-xnnpack.yml
index f345563ac8f..2371b11742f 100644
--- a/.github/workflows/test-backend-xnnpack.yml
+++ b/.github/workflows/test-backend-xnnpack.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}--${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-xnnpack:
     uses: ./.github/workflows/_test_backend.yml
diff --git a/.github/workflows/validate_flatbuffer_gen.yml b/.github/workflows/validate_flatbuffer_gen.yml
index 96eeda95e04..dcc51aac1a1 100644
--- a/.github/workflows/validate_flatbuffer_gen.yml
+++ b/.github/workflows/validate_flatbuffer_gen.yml
@@ -7,6 +7,9 @@ on:
       - "schema/**"
       - "exir/_serialize/generated/executorch_flatbuffer/**"
 
+permissions:
+  contents: read
+
 jobs:
   exir-flatbuffer:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/windows-msvc.yml b/.github/workflows/windows-msvc.yml
index 1f6586cb3cc..5d62028b7e2 100644
--- a/.github/workflows/windows-msvc.yml
+++ b/.github/workflows/windows-msvc.yml
@@ -17,6 +17,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}-${{ github.event_name == 'schedule' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-windows-msvc:
     name: build-windows-msvc