diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index 54ff19bbf57..098a6fbcf99 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   checks:
     name: ${{ matrix.cfg.check }}
diff --git a/.github/workflows/rspec_tests.yaml b/.github/workflows/rspec_tests.yaml
index 51d5b2f95bd..9be4ca582c0 100644
--- a/.github/workflows/rspec_tests.yaml
+++ b/.github/workflows/rspec_tests.yaml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   rspec_tests:
     name: ${{ matrix.cfg.os }}(ruby ${{ matrix.cfg.ruby }})
diff --git a/.github/workflows/snyk_monitor.yaml b/.github/workflows/snyk_monitor.yaml
index c3d0de59f1e..7b296c19721 100644
--- a/.github/workflows/snyk_monitor.yaml
+++ b/.github/workflows/snyk_monitor.yaml
@@ -4,6 +4,9 @@ on:
   push:
     branches:
       - main
+permissions:
+  contents: read
+
 jobs:
   snyk_monitor:
     if: ${{ github.repository_owner == 'puppetlabs' }}