diff --git a/.github/workflows/clang-format.yml b/.github/workflows/clang-format.yml
index 7a8900dee..5dd3e3227 100644
--- a/.github/workflows/clang-format.yml
+++ b/.github/workflows/clang-format.yml
@@ -3,6 +3,9 @@ name: test-clang-format
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/daily_ci.yml b/.github/workflows/daily_ci.yml
index 6b38f43bb..306edde89 100644
--- a/.github/workflows/daily_ci.yml
+++ b/.github/workflows/daily_ci.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "00 15 * * 1-5"
 
+permissions:
+  contents: read
+
 jobs:
   codebuild:
     if: github.event_name != 'schedule' || github.repository_owner == 'aws'
diff --git a/.github/workflows/issue-notification.yml b/.github/workflows/issue-notification.yml
index 6674b9616..b784580ed 100644
--- a/.github/workflows/issue-notification.yml
+++ b/.github/workflows/issue-notification.yml
@@ -5,6 +5,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   notify-issue:
     if: github.event_name == 'issues'
diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml
index 6d7048a53..962e005eb 100644
--- a/.github/workflows/pull.yml
+++ b/.github/workflows/pull.yml
@@ -3,6 +3,9 @@ name: Pull Request Workflow
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   clang-format:
     uses: ./.github/workflows/clang-format.yml
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 0c83adb71..31ba3e4fb 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 jobs:
   clang-format:
     uses: ./.github/workflows/clang-format.yml
diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml
index e3776d399..cf250b944 100644
--- a/.github/workflows/repo-sync.yml
+++ b/.github/workflows/repo-sync.yml
@@ -3,6 +3,10 @@ name: Repo Sync
 on:
   workflow_dispatch:     # allows triggering this manually through the Actions UI
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   repo-sync:
     name: Repo Sync