diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 82186d3c1..1095b1691 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,4 +1,5 @@
 name: CI
+permissions: read-all
 
 on:
   push:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a856e54b8..fd38f6ea3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -10,6 +10,7 @@
 # supported CodeQL languages.
 #
 name: "CodeQL"
+permissions: read-all
 
 on:
   push:
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
index 53dd4727f..885264290 100644
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@@ -6,6 +6,8 @@
 # https://github.com/actions/labeler
 
 name: Labeler
+permissions: read-all
+
 on: [pull_request_target]
 
 jobs:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index f8d8bc1fa..7394617c0 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,4 +1,6 @@
 name: OSS-Fuzz
+permissions: read-all
+
 on: 
   pull_request:
     branches:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index b322b747c..45f011929 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,4 +1,5 @@
 name: Mark stale issues and pull requests
+permissions: read-all
 
 on:
   schedule: