diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 83917531b0..29099a15e5 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -6,6 +6,9 @@ on:
       - closed
       - labeled
 
+permissions:
+  pull-requests: write
+
 jobs:
   backport:
     name: Backport
diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml
index acd7ef01f2..f5c035191d 100644
--- a/.github/workflows/brakeman-analysis.yml
+++ b/.github/workflows/brakeman-analysis.yml
@@ -3,6 +3,13 @@
 
 name: Brakeman Scan
 
+concurrency:
+  group: brakeman-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7dc32952ca..8afcedfad6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,6 +9,8 @@ on:
 
 jobs:
   check_yarn_lock:
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     name: Check yarn.lock
     steps:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 5519590823..f8a16cfe83 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,6 +2,13 @@ name: Lint
 
 on: [pull_request]
 
+concurrency:
+  group: lint-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+
 jobs:
   Standard:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 1821afb177..d1129b581b 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,10 +4,13 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-22.04
-
     steps:
       - uses: actions/stale@v5
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 358ca7c6dd..66db5dd607 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,6 +2,9 @@ name: Test
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   RSpec:
     runs-on: ubuntu-22.04