diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 15c53bd413..38b8d29484 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -22,6 +22,8 @@ jobs:
   check-changesets:
     name: Adapter changes accompanied by a changeset
     runs-on: ['ubuntu-latest']
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -35,6 +37,8 @@ jobs:
   install-packages:
     name: Install and verify dependencies
     runs-on: [ubuntu-latest]
+    permissions:
+      contents: read
     outputs:
       changed-packages: ${{ steps.changed-adapters.outputs.CHANGED_PACKAGES }}
       adapter-list: ${{ steps.changed-adapters.outputs.CHANGED_ADAPTERS }}
@@ -100,6 +104,8 @@ jobs:
     needs:
       - check-changesets
       - install-packages
+    permissions:
+      contents: read
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -118,6 +124,8 @@ jobs:
     needs:
       - check-changesets
       - install-packages
+    permissions:
+      contents: read
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -158,6 +166,8 @@ jobs:
     needs:
       - check-changesets
       - install-packages
+    permissions:
+      contents: read
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -176,6 +186,8 @@ jobs:
     needs:
       - check-changesets
       - install-packages
+    permissions:
+      contents: read
     env:
       METRICS_ENABLED: false
     steps:
@@ -198,6 +210,8 @@ jobs:
     needs:
       - check-changesets
       - install-packages
+    permissions:
+      contents: read
     steps:
       - name: Check out code
         uses: actions/checkout@v4
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 4911ba7c41..83d0ce00e4 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -19,6 +19,8 @@ jobs:
   calculate-changes:
     name: Compute changed adapters
     runs-on: [ubuntu-latest]
+    permissions:
+      contents: read
     outputs:
       adapter-list: ${{ steps.changed-adapters.outputs.CHANGED_ADAPTERS }}
     steps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5f52ec7d00..fe374751c1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,6 +24,8 @@ jobs:
   gh-release:
     name: GH Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
     steps: