diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f96e9955..ac0d7539 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
       - master
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 # Cancel old builds on new commit for same workflow + branch/PR
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -57,6 +60,9 @@ jobs:
   docker:
     name: Build with docker
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@v4
         name: Checkout Repo
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 813eea21..d3645502 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -6,6 +6,9 @@ on:
       - master
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pages: write
 
 # Cancel old builds on new commit for same workflow + branch/PR
 concurrency:
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index 7860c0b8..5c56a23b 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -8,6 +8,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   mirror:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-deps.yml b/.github/workflows/publish-deps.yml
index d40966e6..7e50ecf5 100644
--- a/.github/workflows/publish-deps.yml
+++ b/.github/workflows/publish-deps.yml
@@ -3,6 +3,11 @@ name: Publish Dependencies
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
 jobs:
   publish:
     # Must match glibc verison in node:20
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 63ebf089..91ad34b9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ on:
       - master
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   semantic-release:
     name: Release