diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4a39d6a1..58726834 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ on:
     branches: [ main ]
     paths: [ 'lambda/**' ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Testing
diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 76e23d08..c1259c80 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [ published ]
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     name: Documentation Deployment
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 84035596..2ca4717c 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -8,6 +8,9 @@ on:
     branches: [ main ]
     paths: [ '**.md' ]
 
+permissions:
+  contents: read
+
 jobs:
   markdown:
     name: Markdown Linting
diff --git a/.github/workflows/localization.yml b/.github/workflows/localization.yml
index 85dc5da6..1c316656 100644
--- a/.github/workflows/localization.yml
+++ b/.github/workflows/localization.yml
@@ -5,11 +5,17 @@ on:
     branches: [ main ]
     paths: [ 'resources/locales/**' ]
 
+permissions:
+  contents: read
+
 jobs:
   update:
     name: Locale Updates
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3598e958..e93b2fcf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,9 @@ on:
         type: choice
         options: [ major, minor, patch, premajor, preminor, prepatch, prerelease ]
 
+permissions:
+  contents: read
+
 jobs:
   pkg-update:
     name: Package Version Update
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index f2fb593a..2a807d63 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -8,11 +8,17 @@ on:
   schedule:
     - cron: '42 1 1 * *' # Every first day of the month at 1:42
 
+permissions:
+  contents: read
+
 jobs:
   codeql:
     name: Code Scanning
     runs-on: ubuntu-latest
 
+    permissions:
+      security-events: write
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4