diff --git a/.github/workflows/commitMsg.yml b/.github/workflows/commitMsg.yml
index 6d102c22b7..d309816580 100644
--- a/.github/workflows/commitMsg.yml
+++ b/.github/workflows/commitMsg.yml
@@ -2,6 +2,8 @@ name: Commit Message Check
 on: # yamllint disable-line rule:truthy
   pull_request:
 
+permissions: read-all
+
 jobs:
   check-commit-message:
     name: Check Commit Message
@@ -12,5 +14,3 @@ jobs:
 
       - name: Check commit message
         uses: webiny/action-conventional-commits@v1.3.0
-        with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml
index a1ff4b3187..c70e582a65 100644
--- a/.github/workflows/daily.yml
+++ b/.github/workflows/daily.yml
@@ -6,6 +6,8 @@ on: # yamllint disable-line rule:truthy
   schedule:
     - cron: 12 9 * * *
 
+permissions: read-all
+
 jobs:
   # daily go security
   gosec:
diff --git a/.github/workflows/developer_local.yml b/.github/workflows/developer_local.yml
index bc4e2c5ba5..0a92ff22d4 100644
--- a/.github/workflows/developer_local.yml
+++ b/.github/workflows/developer_local.yml
@@ -3,6 +3,8 @@ name: local dev env validation
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
+permissions: read-all
+
 jobs:
   local_env:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
index de56a455ba..24fd88daf4 100644
--- a/.github/workflows/gosec.yml
+++ b/.github/workflows/gosec.yml
@@ -5,6 +5,9 @@ name: Security Scan
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
+permissions:
+  pull-requests: read
+
 jobs:
   tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pre-commit-auto-update.yml b/.github/workflows/pre-commit-auto-update.yml
index 598ec477ee..543ef4ec86 100644
--- a/.github/workflows/pre-commit-auto-update.yml
+++ b/.github/workflows/pre-commit-auto-update.yml
@@ -4,6 +4,8 @@ on: # yamllint disable-line rule:truthy
   schedule:
     - cron: 0 0 1 * *
 
+permissions: read-all
+
 jobs:
   auto-update:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/unit_test.yml b/.github/workflows/unit_test.yml
index 6e0cdf3c47..9e3683c1c4 100644
--- a/.github/workflows/unit_test.yml
+++ b/.github/workflows/unit_test.yml
@@ -7,7 +7,7 @@ on: # yamllint disable-line rule:truthy
 
 permissions:
   pull-requests: write
-  contents: write
+  contents: read
   repository-projects: write
   packages: write
 
diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml
index 701e5229fd..5eca543b70 100644
--- a/.github/workflows/yamllint.yml
+++ b/.github/workflows/yamllint.yml
@@ -3,6 +3,8 @@ name: yamllint
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
+permissions: read-all
+
 jobs:
   yamllint:
     runs-on: ubuntu-latest