diff --git a/.github/workflows/boost_version.yml b/.github/workflows/boost_version.yml
index 65df364a907..467136105a3 100644
--- a/.github/workflows/boost_version.yml
+++ b/.github/workflows/boost_version.yml
@@ -47,6 +47,9 @@ on:
     branches-ignore:
       - 'gh-pages'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Ubuntu Boost
diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml
index 537185d7e5a..4f39f5e46d3 100644
--- a/.github/workflows/check-files.yml
+++ b/.github/workflows/check-files.yml
@@ -12,6 +12,9 @@ name: Check files
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   Signature_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-queries.yml b/.github/workflows/check-queries.yml
index 9b0d014821f..a6bb136cff9 100644
--- a/.github/workflows/check-queries.yml
+++ b/.github/workflows/check-queries.yml
@@ -40,6 +40,9 @@ on:
     branches-ignore:
       - 'gh-pages'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Check queries
diff --git a/.github/workflows/clang.yml b/.github/workflows/clang.yml
index ce23e11e29d..cbd68e4b25a 100644
--- a/.github/workflows/clang.yml
+++ b/.github/workflows/clang.yml
@@ -37,6 +37,9 @@ on:
     branches-ignore:
       - 'gh-pages'
 
+permissions:
+  contents: read
+
 jobs:
   Test_clang:
     name: Ubuntu clang
diff --git a/.github/workflows/doc-check.yml b/.github/workflows/doc-check.yml
index 052d19fdb6e..69205abf49c 100644
--- a/.github/workflows/doc-check.yml
+++ b/.github/workflows/doc-check.yml
@@ -37,6 +37,9 @@ on:
     branches-ignore:
       - 'gh-pages'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: documentation
diff --git a/.github/workflows/locale-and-website.yml b/.github/workflows/locale-and-website.yml
index 43fe18032d9..6d26f99872a 100644
--- a/.github/workflows/locale-and-website.yml
+++ b/.github/workflows/locale-and-website.yml
@@ -7,8 +7,13 @@ on:
       - main
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   release:
+    permissions:
+      contents: write  # for Git to git push
     name: Update Locale and Website
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'pgRouting' }}
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 329d894ab14..9dbf074d08b 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -6,6 +6,9 @@ name: Build for macOS
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: macos
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8a88e6f2ee6..3ffdf80aea0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,8 +6,13 @@ on:
       - 'v*.*.*'
 
 
+permissions:
+  contents: read
+
 jobs:
   release:
+    permissions:
+      contents: write  # for Git to git push
     name: Release
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
index 444c2ecf4e4..868a5d2ae17 100644
--- a/.github/workflows/ubuntu.yml
+++ b/.github/workflows/ubuntu.yml
@@ -7,6 +7,9 @@ name: Build for Ubuntu
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Ubuntu psql
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index ee74e95fd7a..2988a65017d 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -7,6 +7,9 @@ name: Update
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build