diff --git a/.github/workflows/checkpoint.yaml b/.github/workflows/checkpoint.yaml
index 0ef03c6cc..d12e2e82e 100644
--- a/.github/workflows/checkpoint.yaml
+++ b/.github/workflows/checkpoint.yaml
@@ -3,6 +3,12 @@
 
 name: Checkpoint UDS Core
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 on:
   pull_request:
     # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index 172c85c1b..178a64701 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -3,6 +3,10 @@
 
 name: Metadata
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/docs-shim.yaml b/.github/workflows/docs-shim.yaml
index 439a2d405..28aea1ccf 100644
--- a/.github/workflows/docs-shim.yaml
+++ b/.github/workflows/docs-shim.yaml
@@ -3,6 +3,10 @@
 
 name: CI Docs
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 on:
   pull_request:
     # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index cd1562ab8..738754012 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -3,6 +3,12 @@
 
 name: Publish UDS Core
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 on:
   # triggered by tag-and-release.yaml and snapshot-release.yaml
   workflow_call:
diff --git a/.github/workflows/snapshot-release.yaml b/.github/workflows/snapshot-release.yaml
index 54c953d84..007915d72 100644
--- a/.github/workflows/snapshot-release.yaml
+++ b/.github/workflows/snapshot-release.yaml
@@ -3,6 +3,12 @@
 
 name: Release UDS Core Snapshot
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 on:
   schedule:
     - cron: "0 10 * * *"
diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml
index b09b53043..85d4bbb99 100644
--- a/.github/workflows/tag-and-release.yaml
+++ b/.github/workflows/tag-and-release.yaml
@@ -3,6 +3,12 @@
 
 name: Release UDS Core
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 on:
   push:
     branches:
diff --git a/.github/workflows/test-shim.yaml b/.github/workflows/test-shim.yaml
index bdc662027..8abe423a1 100644
--- a/.github/workflows/test-shim.yaml
+++ b/.github/workflows/test-shim.yaml
@@ -3,6 +3,10 @@
 
 name: Test Shim
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 on:
   # Manual trigger
   workflow_dispatch: