diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 305f5a45eb2e5e3c89b01adc36bdc7cf63e8793e..6e37bdcebe82d9eca891187903c00f5c645100e1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -21,12 +21,14 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  security-events: write
+  contents: read
 
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
     if: github.event.pull_request.draft != true
+    permissions:
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
index c310d767a9b8eda66b80de312fc6e436d34433c7..983bfc712630992232e75ffcba6ac0c52b4c1c1b 100644
--- a/.github/workflows/devcontainer.yml
+++ b/.github/workflows/devcontainer.yml
@@ -9,6 +9,9 @@ on:
       - reopened
       - ready_for_review
 
+permissions:
+  contents: read
+
 jobs:
   devcontainer-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-data.yml b/.github/workflows/update-data.yml
index 2c0f57cf532619ff4bf641c4d46f796f3001ebe8..d48091e84d0daff3a73efff487666e6747d152e0 100644
--- a/.github/workflows/update-data.yml
+++ b/.github/workflows/update-data.yml
@@ -8,12 +8,14 @@ env:
   NODE_VERSION: 18
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-data:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0