diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index 6cc797b..85ca66f 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -1,5 +1,8 @@
 on: [push, pull_request]
 name: Build Test
+permissions:
+  contents: read
+
 jobs:
   build_test_v3:
     strategy:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 31e78f8..218b89e 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,8 +2,14 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   triage:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     steps:
     - uses: actions/labeler@v4
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 80024e0..3251245 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -4,8 +4,14 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   golangci:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: lint
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1637239..0d807ba 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,9 @@ on:
     - cron:  '0 1 1 * *'  # UTC 01:00 on the first day of the Month
 
 name: Release
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index 1c4d236..04bb575 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -1,5 +1,8 @@
 on: [push, pull_request]
 name: Shellcheck
+permissions:
+  contents: read
+
 jobs:
   shellcheck:
     name: Shellcheck
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 66947fd..d25aa93 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 on: [push, pull_request]
 name: Test
+permissions:
+  contents: read
+
 jobs:
   test_v3_module:
     strategy: