diff --git a/.github/workflows/contributed-recipes.yml b/.github/workflows/contributed-recipes.yml
index 93ed4db564..9a163035d9 100644
--- a/.github/workflows/contributed-recipes.yml
+++ b/.github/workflows/contributed-recipes.yml
@@ -30,6 +30,9 @@ on:
         required: true
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   generate-matrix:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/docker-build-test-upload.yml b/.github/workflows/docker-build-test-upload.yml
index 5b6675284b..470bb650d2 100644
--- a/.github/workflows/docker-build-test-upload.yml
+++ b/.github/workflows/docker-build-test-upload.yml
@@ -38,6 +38,9 @@ on:
         required: true
         type: number
 
+permissions:
+  contents: read
+
 jobs:
   build-test-upload:
     runs-on: ${{ inputs.runs-on }}
diff --git a/.github/workflows/docker-tag-push.yml b/.github/workflows/docker-tag-push.yml
index 0276a3c9c2..b8dbdfb9e4 100644
--- a/.github/workflows/docker-tag-push.yml
+++ b/.github/workflows/docker-tag-push.yml
@@ -26,6 +26,9 @@ on:
       REGISTRY_TOKEN:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   tag-push:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/docker-wiki-update.yml b/.github/workflows/docker-wiki-update.yml
index 13269e3404..e7314842fa 100644
--- a/.github/workflows/docker-wiki-update.yml
+++ b/.github/workflows/docker-wiki-update.yml
@@ -8,6 +8,9 @@ env:
 on:
   workflow_call:
 
+permissions:
+  contents: write
+
 jobs:
   wiki-update:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6e48a3d857..9220cdc386 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -61,6 +61,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   aarch64-foundation:
     uses: ./.github/workflows/docker-build-test-upload.yml
@@ -437,3 +440,5 @@ jobs:
     uses: ./.github/workflows/docker-wiki-update.yml
     needs: tag-push-fast
     if: contains(github.event.pull_request.title, '[FAST_BUILD]')
+    permissions:
+      contents: write
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 5663c8d850..7c6df2228f 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -7,6 +7,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   run-hooks:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/registry-move.yml b/.github/workflows/registry-move.yml
index 77ae24d106..4d31e560d2 100644
--- a/.github/workflows/registry-move.yml
+++ b/.github/workflows/registry-move.yml
@@ -15,6 +15,9 @@ on:
       - ".github/workflows/registry-move.yml"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   registry-move:
     # To be able to use the latest skopeo
diff --git a/.github/workflows/registry-overviews.yml b/.github/workflows/registry-overviews.yml
index 161ca7d4dc..411f2b64ee 100644
--- a/.github/workflows/registry-overviews.yml
+++ b/.github/workflows/registry-overviews.yml
@@ -13,6 +13,9 @@ on:
       - "images/*/README.md"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-overview:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/sphinx.yml b/.github/workflows/sphinx.yml
index 49b009b083..7f8786d9cd 100644
--- a/.github/workflows/sphinx.yml
+++ b/.github/workflows/sphinx.yml
@@ -38,6 +38,9 @@ on:
       - "tagging/taggers/tagger_interface.py"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build-docs:
     runs-on: ubuntu-24.04