diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b3969075d668..3918e89533d5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,6 +1,9 @@
 name: Build
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/clang-format-lint.yml b/.github/workflows/clang-format-lint.yml
index dac697511de1..6f23946db999 100644
--- a/.github/workflows/clang-format-lint.yml
+++ b/.github/workflows/clang-format-lint.yml
@@ -3,6 +3,9 @@ on:
   push: {}
   pull_request: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/infer.yml b/.github/workflows/infer.yml
index ffadd13ff3bd..b0ee2fee8243 100644
--- a/.github/workflows/infer.yml
+++ b/.github/workflows/infer.yml
@@ -8,6 +8,9 @@ name: Infer
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   run_infer:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/project_structure.yml b/.github/workflows/project_structure.yml
index def01554a4f8..dbc725655721 100644
--- a/.github/workflows/project_structure.yml
+++ b/.github/workflows/project_structure.yml
@@ -8,6 +8,9 @@ name: ProjectStructure
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check_structure:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 6fb47c5d2dc9..186b3e1d2f5a 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -2,8 +2,13 @@ name: 'Close stale issues and PRs'
 on:
   schedule:
     - cron: '0 0 * * *'
+permissions:
+  contents: read
 jobs:
   stale:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v9