diff --git a/.github/workflows/dockerhub-latest-image.yml b/.github/workflows/dockerhub-latest-image.yml
index fe209083b..76c6dcbd0 100644
--- a/.github/workflows/dockerhub-latest-image.yml
+++ b/.github/workflows/dockerhub-latest-image.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub
diff --git a/.github/workflows/dockerhub-released-chart.yml b/.github/workflows/dockerhub-released-chart.yml
index 3c1d569cf..0b1d1096f 100644
--- a/.github/workflows/dockerhub-released-chart.yml
+++ b/.github/workflows/dockerhub-released-chart.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   publish-chart-to-dockerhub:
     name: publish to DockerHub
diff --git a/.github/workflows/dockerhub-released-image.yml b/.github/workflows/dockerhub-released-image.yml
index a36c9cae6..2384499ec 100644
--- a/.github/workflows/dockerhub-released-image.yml
+++ b/.github/workflows/dockerhub-released-image.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8a5243585..e5c30b86c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,8 +3,12 @@ on:
     types:
     - published
 name: Build Release
+permissions:
+  contents: read
 jobs:
   release-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: release kubectl-karmada
     runs-on: ubuntu-22.04
     strategy:
@@ -41,6 +45,8 @@ jobs:
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz.sha256
   release-crds-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: release crds
     runs-on: ubuntu-22.04
     steps:
@@ -61,6 +67,8 @@ jobs:
         files: |
           crds.tar.gz
   release-charts:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: Release charts
     runs-on: ubuntu-22.04
     steps:
@@ -79,6 +87,8 @@ jobs:
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz.sha256
   sbom-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: Release sbom
     runs-on: ubuntu-22.04
     steps:
diff --git a/.github/workflows/swr-latest-image.yml b/.github/workflows/swr-latest-image.yml
index f492b37c5..aa344b53f 100644
--- a/.github/workflows/swr-latest-image.yml
+++ b/.github/workflows/swr-latest-image.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   publish-image:
     name: publish images
diff --git a/.github/workflows/swr-released-image.yml b/.github/workflows/swr-released-image.yml
index 4880ad3f6..83730446c 100644
--- a/.github/workflows/swr-released-image.yml
+++ b/.github/workflows/swr-released-image.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   release-image:
     name: release images