diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d7dd59e143e..543b17dd8cd 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,7 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/builtin-actor-tests.yml b/.github/workflows/builtin-actor-tests.yml
index 93d4c669e59..c24d8db1f9c 100644
--- a/.github/workflows/builtin-actor-tests.yml
+++ b/.github/workflows/builtin-actor-tests.yml
@@ -8,7 +8,8 @@ on:
     branches:
       - release/*
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   release:
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 2f60cdde77a..af6a88d943c 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -16,7 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   check-docsgen:
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index de703d3a456..9eff504136f 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,7 +19,8 @@ defaults:
   run:
     shell: bash
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   docker:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bd085454ff3..f6fc8ba46d2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,7 +17,8 @@ defaults:
   run:
     shell: bash
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/sorted-pr-checks.yml b/.github/workflows/sorted-pr-checks.yml
index 5d5101b4172..2ce76cb1761 100644
--- a/.github/workflows/sorted-pr-checks.yml
+++ b/.github/workflows/sorted-pr-checks.yml
@@ -17,6 +17,8 @@ on:
       - completed
 
 permissions:
+  actions: read
+  checks: read
   pull-requests: write
 
 concurrency:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 3116da07c74..9def5f67800 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
   schedule:
   - cron: '0 12 * * *'
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   stale:
diff --git a/.github/workflows/sync-master-main.yaml b/.github/workflows/sync-master-main.yaml
index b629b560433..3ffb6932a25 100644
--- a/.github/workflows/sync-master-main.yaml
+++ b/.github/workflows/sync-master-main.yaml
@@ -5,7 +5,8 @@ on:
     branches:
       - master
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   sync:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b199fd2201f..4cc5881894f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -16,7 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   discover: