diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 63c7de297..bede58148 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,6 +16,9 @@ on:
 env:
   DOCKERHUB_SLUG: distribution/distribution
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -45,6 +48,9 @@ jobs:
           directory: ./
 
   build:
+    permissions:
+      contents: write # to create GitHub release (softprops/action-gh-release)
+
     runs-on: ubuntu-latest
     needs:
       - test
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 97780796d..76bf31ecf 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -15,8 +15,15 @@ on:
       - 'v*'
   pull_request:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   analyze:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      security-events: write # to upload SARIF results (github/codeql-action/analyze)
+
     name: Analyze
     runs-on: ubuntu-latest
     strategy:
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index 728f9d81e..ca8fdfb64 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -8,6 +8,9 @@ on:
   pull_request:
   push:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   run-conformance-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index dc4495083..cd0662c75 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -11,6 +11,9 @@ on:
       - 'release/*'
   pull_request:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   run-e2e-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index a435318e8..9b4419d64 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -8,6 +8,9 @@ on:
   - pull_request
   - push
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   scan-license:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 98035af24..348496cca 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -13,6 +13,9 @@ on:
       - 'v*'
   pull_request:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   validate:
     runs-on: ubuntu-latest