diff --git a/.github/workflows/deny_dirty_cargo_locks.yml b/.github/workflows/deny_dirty_cargo_locks.yml
index 98b9754013f..244e302dd4d 100644
--- a/.github/workflows/deny_dirty_cargo_locks.yml
+++ b/.github/workflows/deny_dirty_cargo_locks.yml
@@ -2,6 +2,10 @@ name: Check no Cargo.lock files are dirty
 
 on: pull_request
 
+
+permissions:
+  contents: read
+
 jobs:
   no_dirty_cargo_locks_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dependency_modification_check.yml b/.github/workflows/dependency_modification_check.yml
index ac6537af102..10df0a863eb 100644
--- a/.github/workflows/dependency_modification_check.yml
+++ b/.github/workflows/dependency_modification_check.yml
@@ -2,6 +2,10 @@ name: Check no dependencies were modified
 
 on: pull_request
 
+
+permissions:
+  contents: read
+
 jobs:
   dependency_changed_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/send_pr_notification.yml b/.github/workflows/send_pr_notification.yml
index d7148a67ec9..b0412184ffa 100644
--- a/.github/workflows/send_pr_notification.yml
+++ b/.github/workflows/send_pr_notification.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [labeled]
 
+
+permissions: {}
+
 jobs:
   send_notification:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/send_release_notification.yml b/.github/workflows/send_release_notification.yml
index 65d03f0c940..9dadb357570 100644
--- a/.github/workflows/send_release_notification.yml
+++ b/.github/workflows/send_release_notification.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+
+permissions: {}
+
 jobs:
   send_notification:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trigger_ab_tests.yml b/.github/workflows/trigger_ab_tests.yml
index bb7c81f1e14..9c4691d3992 100644
--- a/.github/workflows/trigger_ab_tests.yml
+++ b/.github/workflows/trigger_ab_tests.yml
@@ -5,6 +5,10 @@ on:
       - firecracker-v*
       - feature/*
 
+
+permissions:
+  contents: read
+
 jobs:
   trigger_ab_test:
     runs-on: ubuntu-latest