diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2999333f1997e3dec7af115a418f696c4f80a804..4de1cc507807df1c07f94fccb13f51cc9b6c749d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,6 +15,9 @@ on:
         default: 'true'
         required: false
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
index c79203ae203fb4d80a851ead3b5e217d274cf138..ae0d9116b8b165d3baabfe52c004dcc57fadd522 100644
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@@ -23,6 +23,9 @@ env:
   NPM_VERSION: ${{ github.event.client_payload.version }}
   NPM_TAG: ${{ github.event.client_payload.tag }}
 
+permissions:
+  contents: read
+
 jobs:
   release-npm:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale-action.yml b/.github/workflows/stale-action.yml
index fff524ac1e1f6c01f875d8d7c907d127286fad16..e11c364d79cd8fd70cfa5c42cb428b3c53305116 100644
--- a/.github/workflows/stale-action.yml
+++ b/.github/workflows/stale-action.yml
@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ws_scan.yaml b/.github/workflows/ws_scan.yaml
index 0b592c3929c0fa3b0f87d63922848bec7b824c60..1b4f5825c46a3b10b7c26179b2f22ca427d36768 100644
--- a/.github/workflows/ws_scan.yaml
+++ b/.github/workflows/ws_scan.yaml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   WS_SCAN:
     runs-on: ubuntu-latest