diff --git a/.github/workflows/common.yml b/.github/workflows/common.yml
index d2912ab49..10d030930 100644
--- a/.github/workflows/common.yml
+++ b/.github/workflows/common.yml
@@ -1,5 +1,8 @@
 name: container project - common jobs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/docs-release.yml b/.github/workflows/docs-release.yml
index 68a19854d..e1105033e 100644
--- a/.github/workflows/docs-release.yml
+++ b/.github/workflows/docs-release.yml
@@ -1,6 +1,10 @@
 # Manual workflow for releasing docs ad-hoc. Workflow can only be run for main or release branches.
 # Workflow does NOT publish a release of container.
 name: Deploy application website
+
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/merge-build.yml b/.github/workflows/merge-build.yml
index 307467a53..2933f2917 100644
--- a/.github/workflows/merge-build.yml
+++ b/.github/workflows/merge-build.yml
@@ -1,5 +1,8 @@
 name: container project - merge build
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
index ea9d8ffa9..9536e0ad3 100644
--- a/.github/workflows/pr-build.yml
+++ b/.github/workflows/pr-build.yml
@@ -1,5 +1,8 @@
 name: container project - PR build
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, reopened, synchronize]
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 7edb8cc95..7aedc32c9 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -1,5 +1,8 @@
 name: container project - release build
 
+permissions:
+  contents: read
+
 on:
   push:
     tags:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7edb8cc95..7aedc32c9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,8 @@
 name: container project - release build
 
+permissions:
+  contents: read
+
 on:
   push:
     tags: