diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 632ad4c70..7a6188849 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,8 @@ on:
   schedule:
     - cron: '43 11 * * 1'
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/enforce-version-pinning.yml b/.github/workflows/enforce-version-pinning.yml
index e0d6d0a78..de7885ebc 100644
--- a/.github/workflows/enforce-version-pinning.yml
+++ b/.github/workflows/enforce-version-pinning.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [main]
 
+permissions: {}
+
 jobs:
   check-version-pinning:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-and-push-docker-image.yaml b/.github/workflows/test-and-push-docker-image.yaml
index 024a5aa82..50ad8d7ff 100644
--- a/.github/workflows/test-and-push-docker-image.yaml
+++ b/.github/workflows/test-and-push-docker-image.yaml
@@ -7,9 +7,13 @@ name: Run tests and push Docker image on success
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   test-and-push:
     runs-on: [self-hosted, management-ecr]
+    permissions:
+      contents: read
     env:
       LOGS_BUCKET_NAME: moj-analytics-s3-logs
     steps: