diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 15f0db98..99fbdc20 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,6 +20,8 @@ on:
   schedule:
     - cron: '24 3 * * 1'
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
index 67ebc797..871fc355 100644
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -7,12 +7,17 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   publishDocker:
     environment: dockerhub
     env:
       IMAGE_NAME: mikefarah/yq
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6e28af66..a8924ef7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,8 @@ on:
       - 'v4.*'
       - 'draft-*'
 
+permissions: {}
+
 jobs:
   publishGitRelease:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/snap-release.yml b/.github/workflows/snap-release.yml
index 6b8d1969..65513eaf 100644
--- a/.github/workflows/snap-release.yml
+++ b/.github/workflows/snap-release.yml
@@ -7,10 +7,14 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
     buildSnap:
       environment: snap
       runs-on: ubuntu-latest
+      permissions:
+        contents: read
       steps:
         - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         - uses: snapcore/action-build@3bdaa03e1ba6bf59a65f84a751d943d549a54e79 # v1.3.0