diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
index 45cba394a..9994827bc 100644
--- a/.github/workflows/dco.yml
+++ b/.github/workflows/dco.yml
@@ -5,8 +5,13 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   dco_check:
+    permissions:
+      pull-requests: read  # for tim-actions/get-pr-commits to get list of commits from the PR
     runs-on: ubuntu-latest
     name: DCO Check
     steps:
diff --git a/.github/workflows/doc-only.yml b/.github/workflows/doc-only.yml
index c8efae5ba..6b4d35cd9 100644
--- a/.github/workflows/doc-only.yml
+++ b/.github/workflows/doc-only.yml
@@ -12,6 +12,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   verify:
     name: verify
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 1f27b57bb..3b3e59d4c 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -16,6 +16,9 @@ env:
   GO_VERSION: '1.20'
   GO_REQUIRED_MIN_VERSION: ''
 
+permissions:
+  contents: read
+
 jobs:
   e2e:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/post.yml b/.github/workflows/post.yml
index 61db9e4ba..d23185fde 100644
--- a/.github/workflows/post.yml
+++ b/.github/workflows/post.yml
@@ -16,6 +16,9 @@ env:
   GO_VERSION: '1.20'
   GO_REQUIRED_MIN_VERSION: ''
 
+permissions:
+  contents: read
+
 jobs:
   coverage:
     name: coverage
diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml
index bf1790638..43c84b619 100644
--- a/.github/workflows/pr-verify.yml
+++ b/.github/workflows/pr-verify.yml
@@ -8,6 +8,9 @@ on:
   pull_request_target:
     types: [opened, edited, reopened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   verify:
     name: verify PR contents
diff --git a/.github/workflows/pre.yml b/.github/workflows/pre.yml
index fe44be40e..ba6301e6a 100644
--- a/.github/workflows/pre.yml
+++ b/.github/workflows/pre.yml
@@ -16,6 +16,9 @@ env:
   GO_VERSION: '1.20'
   GO_REQUIRED_MIN_VERSION: ''
 
+permissions:
+  contents: read
+
 jobs:
   verify:
     name: verify
diff --git a/.github/workflows/releaseimage.yml b/.github/workflows/releaseimage.yml
index 54381dbc7..17258f183 100644
--- a/.github/workflows/releaseimage.yml
+++ b/.github/workflows/releaseimage.yml
@@ -15,6 +15,9 @@ defaults:
   run:
     working-directory: go/src/open-cluster-management.io/ocm
 
+permissions:
+  contents: read
+
 jobs:
   env:
     name: prepare release env
diff --git a/.github/workflows/stable.yaml b/.github/workflows/stable.yaml
index 845962c56..7793ff476 100644
--- a/.github/workflows/stable.yaml
+++ b/.github/workflows/stable.yaml
@@ -5,8 +5,14 @@ on:
 
 # `stable` label will be added to issues and PRs that have been inactive for 120 days
 # Close stale issues and PRs after 14 days of inactivity
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v8