diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4cab0acc9be..3a64afc7c22 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -4,6 +4,9 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   clang-format:
     name: Check code style with clang-format
diff --git a/.github/workflows/coverity-scan.yml b/.github/workflows/coverity-scan.yml
index 105f23e81b9..1bff2f23709 100644
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@@ -4,6 +4,9 @@ on:
     - cron: '0 20 * * *' # Daily at 20:00 UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   latest:
     # Running coverity requires the secrets.COVERITY_SCAN_TOKEN token
diff --git a/.github/workflows/doxygen.yml b/.github/workflows/doxygen.yml
index 3755b92cf58..86ee0811001 100644
--- a/.github/workflows/doxygen.yml
+++ b/.github/workflows/doxygen.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches: ["master"]
   workflow_dispatch:
+permissions:
+  contents: read
+
 concurrency:
   group: "pages"
   cancel-in-progress: false
diff --git a/.github/workflows/test-ssllib.yml b/.github/workflows/test-ssllib.yml
index d8178a72578..5044e36549e 100644
--- a/.github/workflows/test-ssllib.yml
+++ b/.github/workflows/test-ssllib.yml
@@ -1,5 +1,8 @@
 name: test_ssllib
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs: