diff --git a/.github/workflows/android-app.yml b/.github/workflows/android-app.yml
index 54c00cbc59c6..8331a2ced3de 100644
--- a/.github/workflows/android-app.yml
+++ b/.github/workflows/android-app.yml
@@ -46,6 +46,9 @@ on:
   # Build if main is updated to ensure up-to-date caches are available
   push:
     branches: [main]
+
+permissions: {}
+
 jobs:
   prepare:
     name: Prepare
diff --git a/.github/workflows/android-audit.yml b/.github/workflows/android-audit.yml
index 2945273efc1c..0f62905dc744 100644
--- a/.github/workflows/android-audit.yml
+++ b/.github/workflows/android-audit.yml
@@ -20,6 +20,9 @@ on:
         description: Override container image
         type: string
         required: false
+
+permissions: {}
+
 jobs:
   prepare:
     name: Prepare
diff --git a/.github/workflows/android-kotlin-format-check.yml b/.github/workflows/android-kotlin-format-check.yml
index 4eb6d54a0142..7fce9a108fe0 100644
--- a/.github/workflows/android-kotlin-format-check.yml
+++ b/.github/workflows/android-kotlin-format-check.yml
@@ -9,6 +9,9 @@ on:
         description: Override container image
         type: string
         required: false
+
+permissions: {}
+
 jobs:
   prepare:
     name: Prepare
diff --git a/.github/workflows/android-static-analysis.yml b/.github/workflows/android-static-analysis.yml
index cc0fa5b62e34..a693740f4b49 100644
--- a/.github/workflows/android-static-analysis.yml
+++ b/.github/workflows/android-static-analysis.yml
@@ -13,6 +13,9 @@ on:
     # Github Actions enabled, so these don't go unnoticed.
     # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs
     - cron: '20 6 * * *'
+
+permissions: {}
+
 jobs:
   mobsfscan:
     name: Code scanning using mobsfscan
diff --git a/.github/workflows/android-xml-format-check.yml b/.github/workflows/android-xml-format-check.yml
index d051cdbf894c..4c4a1db46269 100644
--- a/.github/workflows/android-xml-format-check.yml
+++ b/.github/workflows/android-xml-format-check.yml
@@ -6,6 +6,9 @@ on:
       - .github/workflows/android-xml-format-check.yml
       - android/**/*.xml
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   prepare:
     name: Prepare
diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
index 3eabcdb4e05c..e3f44a3b96cb 100644
--- a/.github/workflows/cargo-audit.yml
+++ b/.github/workflows/cargo-audit.yml
@@ -10,11 +10,13 @@ on:
     # At 06:20 UTC every day. Will create an issue if a CVE is found.
     - cron: '20 6 * * *'
   workflow_dispatch:
+
+permissions:
+  issues: write
+
 jobs:
   audit:
     runs-on: ubuntu-latest
-    permissions:
-      issues: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
diff --git a/.github/workflows/cargo-vendor.yml b/.github/workflows/cargo-vendor.yml
index 276760781a06..d3b69311bb9a 100644
--- a/.github/workflows/cargo-vendor.yml
+++ b/.github/workflows/cargo-vendor.yml
@@ -11,6 +11,9 @@ on:
       - Cargo.lock
       - '**/Cargo.toml'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   cargo-vendor:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml
index 2dfcb000c510..246aed590cb4 100644
--- a/.github/workflows/clippy.yml
+++ b/.github/workflows/clippy.yml
@@ -7,6 +7,9 @@ on:
       - clippy.toml
       - '**/*.rs'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   prepare-android:
     name: Prepare Android container
diff --git a/.github/workflows/daemon.yml b/.github/workflows/daemon.yml
index 3293e028791e..1e7784e789fe 100644
--- a/.github/workflows/daemon.yml
+++ b/.github/workflows/daemon.yml
@@ -29,6 +29,9 @@ on:
         description: Override container image
         type: string
         required: false
+
+permissions: {}
+
 jobs:
   prepare-linux:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/desktop-e2e.yml b/.github/workflows/desktop-e2e.yml
index 3d88d8fc47b1..55905c30a27c 100644
--- a/.github/workflows/desktop-e2e.yml
+++ b/.github/workflows/desktop-e2e.yml
@@ -20,6 +20,9 @@ on:
         default: ''
         required: false
         type: string
+
+permissions: {}
+
 jobs:
   prepare-matrices:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
index 4aefa557e28c..3d12bafeaa21 100644
--- a/.github/workflows/frontend.yml
+++ b/.github/workflows/frontend.yml
@@ -8,6 +8,8 @@ on:
       - mullvad-management-interface/proto/**
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check-frontend:
     strategy:
diff --git a/.github/workflows/ios-end-to-end-tests-api.yml b/.github/workflows/ios-end-to-end-tests-api.yml
index b3d789ae7932..d70ca2b2ec71 100644
--- a/.github/workflows/ios-end-to-end-tests-api.yml
+++ b/.github/workflows/ios-end-to-end-tests-api.yml
@@ -2,12 +2,14 @@
 name: iOS end-to-end API tests
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   reuse-e2e-workflow:
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
     uses: ./.github/workflows/ios-end-to-end-tests.yml
     with:
       arg_tests_json_key: "api-tests"
diff --git a/.github/workflows/ios-end-to-end-tests-merge-to-main.yml b/.github/workflows/ios-end-to-end-tests-merge-to-main.yml
index be91e2789c48..738cd654f3bf 100644
--- a/.github/workflows/ios-end-to-end-tests-merge-to-main.yml
+++ b/.github/workflows/ios-end-to-end-tests-merge-to-main.yml
@@ -10,12 +10,14 @@ on:
     paths:
       - .github/workflows/ios-end-to-end-tests*.yml
       - ios/**
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   reuse-e2e-workflow:
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
     uses: ./.github/workflows/ios-end-to-end-tests.yml
     with:
       arg_tests_json_key: "pr-merge-to-main"
diff --git a/.github/workflows/ios-end-to-end-tests-nightly.yml b/.github/workflows/ios-end-to-end-tests-nightly.yml
index 2408b3322f28..eeb7da51f797 100644
--- a/.github/workflows/ios-end-to-end-tests-nightly.yml
+++ b/.github/workflows/ios-end-to-end-tests-nightly.yml
@@ -9,6 +9,9 @@ on:
     # Github Actions enabled, so these don't go unnoticed.
     # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs
     - cron: '0 0 * * *'
+
+permissions: {}
+
 jobs:
   reuse-e2e-workflow:
     permissions:
diff --git a/.github/workflows/ios-screenshots-creation.yml b/.github/workflows/ios-screenshots-creation.yml
index 4b7e6a3692d8..98ba4ba2b6d3 100644
--- a/.github/workflows/ios-screenshots-creation.yml
+++ b/.github/workflows/ios-screenshots-creation.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - ios/*
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   test:
     name: Take screenshots
diff --git a/.github/workflows/ios-screenshots-tests.yml b/.github/workflows/ios-screenshots-tests.yml
index adba047322db..788cba9c99f6 100644
--- a/.github/workflows/ios-screenshots-tests.yml
+++ b/.github/workflows/ios-screenshots-tests.yml
@@ -12,6 +12,9 @@ on:
       - ios/**/*.swift
       - ios/**/*.xctestplan
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   test:
     if: github.event.pull_request.merged
diff --git a/.github/workflows/ios-validate-build-schemas.yml b/.github/workflows/ios-validate-build-schemas.yml
index 12057518ab6d..8fa2325db789 100644
--- a/.github/workflows/ios-validate-build-schemas.yml
+++ b/.github/workflows/ios-validate-build-schemas.yml
@@ -14,6 +14,9 @@ on:
       - ios/**/*.xctestplan
       - Cargo.toml
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   test:
     if: github.event.pull_request.merged == true
diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml
index 516933bfea49..3e6dab808f2f 100644
--- a/.github/workflows/ios.yml
+++ b/.github/workflows/ios.yml
@@ -9,6 +9,9 @@ on:
       - ios/**/*.swift
       - ios/**/*.xctestplan
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   check-formatting:
     name: Check formatting
diff --git a/.github/workflows/proto-format-check.yml b/.github/workflows/proto-format-check.yml
index e88cb3b03d67..4ca95e744f4b 100644
--- a/.github/workflows/proto-format-check.yml
+++ b/.github/workflows/proto-format-check.yml
@@ -5,6 +5,9 @@ on:
     paths:
       - '**/*.proto'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   check-formatting:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rust-supply-chain.yml b/.github/workflows/rust-supply-chain.yml
index b679766c73c2..c44ab113d3f9 100644
--- a/.github/workflows/rust-supply-chain.yml
+++ b/.github/workflows/rust-supply-chain.yml
@@ -9,6 +9,9 @@ on:
       - Cargo.lock
       - '**/*.rs'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   check-supply-chain:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rust-unused-dependencies.yml b/.github/workflows/rust-unused-dependencies.yml
index ac07b079c96e..49300a9d45e7 100644
--- a/.github/workflows/rust-unused-dependencies.yml
+++ b/.github/workflows/rust-unused-dependencies.yml
@@ -11,6 +11,9 @@ on:
 env:
   # Pinning nightly just to avoid random breakage. It's fine to bump this at any time
   RUST_NIGHTLY_TOOLCHAIN: nightly-2024-02-06
+
+permissions: {}
+
 jobs:
   prepare-containers:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rustfmt.yml b/.github/workflows/rustfmt.yml
index 456653dd38c7..70e01e5b3874 100644
--- a/.github/workflows/rustfmt.yml
+++ b/.github/workflows/rustfmt.yml
@@ -7,6 +7,9 @@ on:
       - rustfmt.toml
       - '**/*.rs'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   check-formatting:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/testframework-clippy.yml b/.github/workflows/testframework-clippy.yml
index 11ee9af845b0..73c98cb41889 100644
--- a/.github/workflows/testframework-clippy.yml
+++ b/.github/workflows/testframework-clippy.yml
@@ -8,6 +8,9 @@ on:
       - .github/workflows/clippy-test.yml
       - clippy.toml
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   clippy-check-test:
     name: Clippy linting of test workspace
diff --git a/.github/workflows/testframework-rust-supply-chain.yml b/.github/workflows/testframework-rust-supply-chain.yml
index 2a7a7fa44f7e..3e09ee5ed2b6 100644
--- a/.github/workflows/testframework-rust-supply-chain.yml
+++ b/.github/workflows/testframework-rust-supply-chain.yml
@@ -9,6 +9,9 @@ on:
       - 'test/**/Cargo.lock'
       - 'test/**/*.rs'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   check-test-framework-supply-chain:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/testframework-rustfmt.yml b/.github/workflows/testframework-rustfmt.yml
index 8889653183b9..78045fc7442d 100644
--- a/.github/workflows/testframework-rustfmt.yml
+++ b/.github/workflows/testframework-rustfmt.yml
@@ -8,6 +8,9 @@ on:
       - .github/workflows/rustfmt-test.yml
       - rustfmt.toml
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   check-formatting-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/testframework.yml b/.github/workflows/testframework.yml
index f382567c52cd..767cb46821ba 100644
--- a/.github/workflows/testframework.yml
+++ b/.github/workflows/testframework.yml
@@ -24,6 +24,9 @@ on:
       - '!rustfmt.toml'
       - '!.yamllint'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   prepare-build-test-framework-linux:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/translations-converter.yml b/.github/workflows/translations-converter.yml
index 4cb65d3d4f4b..15023f973c4c 100644
--- a/.github/workflows/translations-converter.yml
+++ b/.github/workflows/translations-converter.yml
@@ -6,6 +6,9 @@ on:
       - .github/workflows/translations-converter.yml
       - android/translations-converter/**
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   check-translations:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/translations.yml b/.github/workflows/translations.yml
index ccb81de9831b..c26d29bded06 100644
--- a/.github/workflows/translations.yml
+++ b/.github/workflows/translations.yml
@@ -9,6 +9,9 @@ on:
       - android/lib/resource/src/**/strings.xml
       - gui/**
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   check-translations:
     runs-on: ubuntu-latest