diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 2c272bc92d35c000d7b9a6f6b095ab56a4a0e5d6..744e060773cc208d8d093fcd6d51080bb4aaee4b 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -24,6 +24,10 @@ on:
   schedule:
     - cron: '45 10 * * 1'
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 9068d144bdb65b45db238202b3d1722db9d028f2..6bd914b901277b5b97da253abf79faa1f957ec34 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -21,6 +21,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 315e56a8f3b2a5e77d9d773ed0f68546ec45fa49..f8e34bb47157f1ecab3a1abc55b6f073b3bb9891 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -17,6 +17,9 @@ name: Verify
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     name: license boilerplate check