diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index 868a7975..b770eff4 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -9,6 +9,12 @@ on:
     types:
       - published
 name: build-test
+
+
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build-test:
     name: Build and test ZOT
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 65a4c1c0..c6ffadfa 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,8 @@ on:
   schedule:
     - cron: '17 11 * * 0'
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/ecosystem-tools.yaml b/.github/workflows/ecosystem-tools.yaml
index 4cbb2471..eba0f63a 100644
--- a/.github/workflows/ecosystem-tools.yaml
+++ b/.github/workflows/ecosystem-tools.yaml
@@ -9,6 +9,8 @@ on:
     types:
       - published
 
+permissions: read-all
+
 jobs:
   client-tools:
     name: Check client tools
diff --git a/.github/workflows/oci-conformance-action.yml b/.github/workflows/oci-conformance-action.yml
index 2c6a7aa3..9ae012c8 100644
--- a/.github/workflows/oci-conformance-action.yml
+++ b/.github/workflows/oci-conformance-action.yml
@@ -12,6 +12,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   run:
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index c20ae639..206c7769 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -3,6 +3,11 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read
+  issues: read | write
+  pull-requests: read | write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sync-golang-image.yaml b/.github/workflows/sync-golang-image.yaml
index 7c625c04..ba2b5435 100644
--- a/.github/workflows/sync-golang-image.yaml
+++ b/.github/workflows/sync-golang-image.yaml
@@ -9,6 +9,10 @@ on:
 env:
   GOLANG_VERSION: 1.18
 
+permissions:
+  contents: read
+  packages: read | write
+
 jobs:
   sync-golang:
     name: 'sync'