diff --git a/.github/workflows/back-port.yml b/.github/workflows/back-port.yml
index e53aacb50..fc0705f66 100644
--- a/.github/workflows/back-port.yml
+++ b/.github/workflows/back-port.yml
@@ -4,11 +4,17 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   # align with crossplane's choice https://github.com/crossplane/crossplane/blob/master/.github/workflows/backport.yml
   open-pr:
     runs-on: ubuntu-20.04
     if: github.event.pull_request.merged
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
diff --git a/.github/workflows/chart.yml b/.github/workflows/chart.yml
index 447906fd8..53c4b309b 100644
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -6,6 +6,9 @@ on:
       - "v*"
   workflow_dispatch: { }
 
+permissions:
+  contents: read
+
 env:
   BUCKET: ${{ secrets.OSS_BUCKET }}
   ENDPOINT: ${{ secrets.OSS_ENDPOINT }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e05d7551f..5f959c13f 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -4,11 +4,18 @@ on:
   push:
     branches: [ master, release-* ]
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
 
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      security-events: write  # for github/codeql-action/autobuild to send a status report
+
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml
index 2857a30e2..046502669 100644
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -8,6 +8,9 @@ on:
       - labeled
       - unlabeled
 
+permissions:
+  pull-requests: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/core-api-test.yml b/.github/workflows/core-api-test.yml
index dce85c395..a1b5139ac 100644
--- a/.github/workflows/core-api-test.yml
+++ b/.github/workflows/core-api-test.yml
@@ -1,38 +1,41 @@
 name: core-api-test
 on:
-    pull_request:
-        paths:
-            - 'apis/**'
-            - 'pkg/oam/**'
-            - "hack/apis/**"
-        branches:
-            - master
-            - release-*
+  pull_request:
+    paths:
+      - 'apis/**'
+      - 'pkg/oam/**'
+      - "hack/apis/**"
+    branches:
+      - master
+      - release-*
+
+permissions:
+  contents: read
 
 jobs:
-    core-api-test:
-        runs-on: ubuntu-20.04
-        steps:
-            - name: Set up Go 1.19
-              uses: actions/setup-go@v3
-              env:
-                  GO_VERSION: '1.19'
-                  GOLANGCI_VERSION: 'v1.49'
-              with:
-                  go-version: ${{ env.GO_VERSION }}
-              id: go
+  core-api-test:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Set up Go 1.19
+        uses: actions/setup-go@v3
+        env:
+          GO_VERSION: '1.19'
+          GOLANGCI_VERSION: 'v1.49'
+        with:
+          go-version: ${{ env.GO_VERSION }}
+        id: go
 
-            - name: Check out code into the Go module directory
-              uses: actions/checkout@v3
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
 
-            - name: Get the version
-              id: get_version
-              run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
 
-            - name: Test build kubevela-core-api
-              env:
-                  VERSION: ${{ steps.get_version.outputs.VERSION }}
-                  COMMIT_ID: ${{ github.sha }}
-              run: |
-                  bash ./hack/apis/clientgen.sh
-                  bash ./hack/apis/sync.sh test
\ No newline at end of file
+      - name: Test build kubevela-core-api
+        env:
+          VERSION: ${{ steps.get_version.outputs.VERSION }}
+          COMMIT_ID: ${{ github.sha }}
+        run: |
+          bash ./hack/apis/clientgen.sh
+          bash ./hack/apis/sync.sh test
\ No newline at end of file
diff --git a/.github/workflows/definition-lint.yml b/.github/workflows/definition-lint.yml
index 6ba3bd31b..c7fdec3a5 100644
--- a/.github/workflows/definition-lint.yml
+++ b/.github/workflows/definition-lint.yml
@@ -11,6 +11,9 @@ on:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
diff --git a/.github/workflows/e2e-multicluster-test.yml b/.github/workflows/e2e-multicluster-test.yml
index 296905a9a..a3122b829 100644
--- a/.github/workflows/e2e-multicluster-test.yml
+++ b/.github/workflows/e2e-multicluster-test.yml
@@ -13,6 +13,9 @@ on:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -21,6 +24,8 @@ env:
 jobs:
 
   detect-noop:
+    permissions:
+      actions: write
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
diff --git a/.github/workflows/e2e-rollout-test.yml b/.github/workflows/e2e-rollout-test.yml
index 540490d61..a7eb678c8 100644
--- a/.github/workflows/e2e-rollout-test.yml
+++ b/.github/workflows/e2e-rollout-test.yml
@@ -13,6 +13,9 @@ on:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -21,6 +24,8 @@ env:
 jobs:
 
   detect-noop:
+    permissions:
+      actions: write
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
index 76019fd7d..e0e463094 100644
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -13,6 +13,9 @@ on:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -21,6 +24,8 @@ env:
 jobs:
 
   detect-noop:
+    permissions:
+      actions: write
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index d346142ff..87a4918ca 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -11,6 +11,9 @@ on:
       - master
       - release-*
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -22,6 +25,8 @@ jobs:
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}
+    permissions:
+      actions: write
     steps:
       - name: Detect No-op Changes
         id: noop
@@ -68,6 +73,9 @@ jobs:
     runs-on: ubuntu-20.04
     needs: detect-noop
     if: needs.detect-noop.outputs.noop != 'true'
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
 
     steps:
       - name: Setup Go
diff --git a/.github/workflows/issue-commands.yml b/.github/workflows/issue-commands.yml
index d4263f19a..3e9c355f9 100644
--- a/.github/workflows/issue-commands.yml
+++ b/.github/workflows/issue-commands.yml
@@ -5,6 +5,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   bot:
     runs-on: ubuntu-20.04
@@ -32,6 +35,9 @@ jobs:
   backport:
     runs-on: ubuntu-22.04
     if: github.event.issue.pull_request && contains(github.event.comment.body, '/backport')
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Extract Command
         id: command
diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
index 725248a0e..679cacc0f 100644
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -9,6 +9,9 @@ on:
     branches:
       - master
       - release-*
+      -
+permissions:
+  contents: read
 
 jobs:
   license_check:
diff --git a/.github/workflows/registry.yml b/.github/workflows/registry.yml
index 70fab3faa..12320ccf5 100644
--- a/.github/workflows/registry.yml
+++ b/.github/workflows/registry.yml
@@ -11,6 +11,9 @@ env:
   ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY }}
   ACCESS_KEY_SECRET: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
 
+permissions:
+  contents: read
+
 jobs:
   publish-core-images:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sync-api.yml b/.github/workflows/sync-api.yml
index a46e7b655..b4e2f6978 100644
--- a/.github/workflows/sync-api.yml
+++ b/.github/workflows/sync-api.yml
@@ -7,6 +7,9 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: read
+
 env:
   GO_VERSION: '1.19'
 
diff --git a/.github/workflows/timed-task.yml b/.github/workflows/timed-task.yml
index 63e913e49..5ceaefce7 100644
--- a/.github/workflows/timed-task.yml
+++ b/.github/workflows/timed-task.yml
@@ -2,6 +2,9 @@ name: Timed Task
 on:
   schedule:
     - cron: '* * * * *'
+
+permissions: {}
+
 jobs:
   clean-image:
     runs-on: aliyun
diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
index 124d60bdc..c1d51c7c0 100644
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   images:
     name: Image Scan
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index c7e5e1117..3100b60c4 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -5,12 +5,15 @@ on:
     branches:
       - master
       - release-*
-  workflow_dispatch: {}
+  workflow_dispatch: { }
   pull_request:
     branches:
       - master
       - release-*
 
+permissions:
+  contents: read
+
 env:
   # Common versions
   GO_VERSION: '1.19'
@@ -19,6 +22,8 @@ env:
 jobs:
 
   detect-noop:
+    permissions:
+      actions: write  # for fkirc/skip-duplicate-actions to skip or stop workflow runs
     runs-on: ubuntu-20.04
     outputs:
       noop: ${{ steps.noop.outputs.should_skip }}