diff --git a/.github/workflows/auto-update-spec-repo-links.yml b/.github/workflows/auto-update-spec-repo-links.yml
index 4dff01a57..d2d61dbac 100644
--- a/.github/workflows/auto-update-spec-repo-links.yml
+++ b/.github/workflows/auto-update-spec-repo-links.yml
@@ -5,6 +5,9 @@ on:
     - cron: "46 * * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-versions:
     runs-on: ubuntu-latest
@@ -43,6 +46,8 @@ jobs:
           echo "already-opened=$already_opened" >> $GITHUB_OUTPUT
 
   update-spec-repo-links:
+    permissions:
+      contents: write # required for pushing changes
     runs-on: ubuntu-latest
     if: |
       needs.check-versions.outputs.current-version != needs.check-versions.outputs.latest-version &&
diff --git a/.github/workflows/build-system-check.yml b/.github/workflows/build-system-check.yml
index b794c2b5b..115404797 100644
--- a/.github/workflows/build-system-check.yml
+++ b/.github/workflows/build-system-check.yml
@@ -14,6 +14,9 @@ on:
       - 'dependencies.Dockerfile'
       - 'internal/tools/**'
 
+permissions:
+  contents: read
+
 jobs:
 
   # Ensure that invoking "make" without a specific build target will succeed.
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index ce5b88699..f1e411be1 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -11,6 +11,9 @@ on:
       - main
   merge_group:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 73da418e6..ba0c12c07 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   markdownlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/daily-link-check.yml b/.github/workflows/daily-link-check.yml
index ae650d22e..61d676f88 100644
--- a/.github/workflows/daily-link-check.yml
+++ b/.github/workflows/daily-link-check.yml
@@ -8,13 +8,15 @@ on:
 
 permissions:
   contents: read
-  issues: write
 
 jobs:
   link-check:
     uses: ./.github/workflows/reusable-link-check.yml
 
   workflow-notification:
+    permissions: # required by the reusable workflow
+      contents: read
+      issues: write
     needs:
       - link-check
     if: always()
diff --git a/.github/workflows/generate-registry-area-labels.yml b/.github/workflows/generate-registry-area-labels.yml
index 6b646389b..9d8caa977 100644
--- a/.github/workflows/generate-registry-area-labels.yml
+++ b/.github/workflows/generate-registry-area-labels.yml
@@ -10,8 +10,13 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   generate-component-labels:
+    permissions:
+      issues: write # required for labeling PRs
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'open-telemetry' }}
     steps:
diff --git a/.github/workflows/prepare-new-issue.yml b/.github/workflows/prepare-new-issue.yml
index 055215a90..1d03fef4c 100644
--- a/.github/workflows/prepare-new-issue.yml
+++ b/.github/workflows/prepare-new-issue.yml
@@ -3,8 +3,13 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   prepare-new-issue:
+    permissions:
+      issues: write # required for labeling issues
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'open-telemetry' }}
     steps:
diff --git a/.github/workflows/prepare-new-pr.yml b/.github/workflows/prepare-new-pr.yml
index a4ce952e5..caef91132 100644
--- a/.github/workflows/prepare-new-pr.yml
+++ b/.github/workflows/prepare-new-pr.yml
@@ -5,6 +5,9 @@ on:
     branches: [ 'main*' ]
     paths: ['.chloggen/*']
 
+permissions:
+  contents: read
+
 jobs:
   prepare-new-pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index abd11b3c1..8007cdc4e 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -6,6 +6,9 @@ on:
         description: 'The version to release, e.g. 1.30.0'
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   create-pull-request:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale-pr.yml b/.github/workflows/stale-pr.yml
index 6864580c4..7ada8aec2 100644
--- a/.github/workflows/stale-pr.yml
+++ b/.github/workflows/stale-pr.yml
@@ -3,8 +3,13 @@ on:
   schedule:
     - cron: "12 3 * * *"  # arbitrary time not to DDOS GitHub
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      pull-requests: write # required for closing stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0