diff --git a/.github/workflows/automated_release.yaml b/.github/workflows/automated_release.yaml
index ec4e9d4e..ef20bcbe 100644
--- a/.github/workflows/automated_release.yaml
+++ b/.github/workflows/automated_release.yaml
@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: "0 10 * * 4"
 
+
+permissions:
+  contents: write
+
 jobs:
   release_management:
     uses: newrelic/coreint-automation/.github/workflows/reusable_release_automation.yaml@v3
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7f419ff6..dcddc3ac 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,6 +8,10 @@ on:
       - renovate/**
   pull_request:
 
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and scan image
diff --git a/.github/workflows/infra_bundle_scan_report.yml b/.github/workflows/infra_bundle_scan_report.yml
index 6cdd43b8..aa71d257 100644
--- a/.github/workflows/infra_bundle_scan_report.yml
+++ b/.github/workflows/infra_bundle_scan_report.yml
@@ -4,6 +4,10 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and scan image
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 61432452..17e37263 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -7,6 +7,10 @@ on:
       - master
       - main
 
+
+permissions:
+  contents: read
+
 jobs:
   nightly:
     name: Nightly standard build
diff --git a/.github/workflows/on-demand.yml b/.github/workflows/on-demand.yml
index 7627104d..a235d4ef 100644
--- a/.github/workflows/on-demand.yml
+++ b/.github/workflows/on-demand.yml
@@ -5,6 +5,10 @@ on:
       agent_version:
         description: "Agent version"
         required: true
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and push image
diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml
index 99c81017..576b18db 100644
--- a/.github/workflows/release-windows.yml
+++ b/.github/workflows/release-windows.yml
@@ -3,6 +3,10 @@ on:
   release:
     types: [ prereleased, released ]
 
+
+permissions:
+  contents: read
+
 jobs:
   release-windows-2022:
     name: Release Windows Server 2022
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 828fec5b..1ab23d91 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,10 @@ on:
   release:
     types: [ prereleased, released ]
 
+
+permissions:
+  contents: read
+
 jobs:
   container-release:
     uses: newrelic/coreint-automation/.github/workflows/reusable_image_release.yaml@v3
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index dbc8f5c9..a5f2f194 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -7,6 +7,10 @@ on:
   schedule:
     - cron: "14 3 * * *" # Daily at 3:14 AM
 
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and scan image