diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml
index 92e6f804f9..2ebcf03770 100644
--- a/.github/workflows/code_scan.yml
+++ b/.github/workflows/code_scan.yml
@@ -1,4 +1,5 @@
 name: Code Scanning
+permissions: read-all
 
 on:
   workflow_dispatch: # run on request (no need for PR)
diff --git a/.github/workflows/pre_merge.yml b/.github/workflows/pre_merge.yml
index 945096a5d6..e43bac959a 100644
--- a/.github/workflows/pre_merge.yml
+++ b/.github/workflows/pre_merge.yml
@@ -1,4 +1,5 @@
 name: Pre-Merge Checks
+permissions: read-all
 
 on:
   push:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index dd6b896ce4..777f9b0645 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,4 +1,6 @@
 name: Upload Python Package
+permissions: read-all
+
 on:
   release:
     types: [published]
diff --git a/.github/workflows/upload_coverage.yml b/.github/workflows/upload_coverage.yml
index f531436124..7770cb8b31 100644
--- a/.github/workflows/upload_coverage.yml
+++ b/.github/workflows/upload_coverage.yml
@@ -1,4 +1,6 @@
 name: Upload coverage
+permissions: read-all
+
 on:
   workflow_run:
     workflows: ["Pre-Merge Checks"]