diff --git a/.github/workflows/Component.BuildTest.yml b/.github/workflows/Component.BuildTest.yml
index b68bb21bc..f05beaa40 100644
--- a/.github/workflows/Component.BuildTest.yml
+++ b/.github/workflows/Component.BuildTest.yml
@@ -28,6 +28,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   build-test:
 
diff --git a/.github/workflows/add-labels.yml b/.github/workflows/add-labels.yml
index 6ecacb631..a97697834 100644
--- a/.github/workflows/add-labels.yml
+++ b/.github/workflows/add-labels.yml
@@ -7,11 +7,12 @@ on:
     branches: [ 'main*' ]
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
 
 jobs:
   add-labels-on-issues:
+    permissions:
+      issues: write
     if: github.event_name == 'issues' && !github.event.issue.pull_request
 
     runs-on: ubuntu-22.04
@@ -33,6 +34,8 @@ jobs:
           ISSUE_BODY: ${{ github.event.issue.body }}
 
   add-labels-on-pull-requests:
+    permissions:
+      pull-requests: write
     if: github.event_name == 'pull_request_target'
 
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a1c9ae6ad..e3a3ed30f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [ 'main*' ]
 
+permissions:
+  contents: read
+
 jobs:
   lint-misspell-sanitycheck:
     uses: ./.github/workflows/sanitycheck.yml
diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml
index 150d77a3b..4a9329648 100644
--- a/.github/workflows/markdownlint.yml
+++ b/.github/workflows/markdownlint.yml
@@ -5,6 +5,9 @@ name: Lint - Markdown
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   run-markdownlint:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
index e2eeb6c47..6c433a8ab 100644
--- a/.github/workflows/post-release.yml
+++ b/.github/workflows/post-release.yml
@@ -16,6 +16,9 @@ on:
     types:
     - created
 
+permissions:
+  contents: read
+
 jobs:
   automation:
     uses: ./.github/workflows/automation.yml
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index 07e6c7b88..f153e55aa 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -23,6 +23,9 @@ on:
     types:
     - created
 
+permissions:
+  contents: read
+
 jobs:
   automation:
     uses: ./.github/workflows/automation.yml
diff --git a/.github/workflows/publish-packages-1.0.yml b/.github/workflows/publish-packages-1.0.yml
index 5b01d394a..a312a3b77 100644
--- a/.github/workflows/publish-packages-1.0.yml
+++ b/.github/workflows/publish-packages-1.0.yml
@@ -16,6 +16,9 @@ on:
   schedule:
     - cron: '0 0 * * *' # once in a day at 00:00
 
+permissions:
+  contents: read
+
 jobs:
   automation:
     uses: ./.github/workflows/automation.yml