diff --git a/.github/workflows/command-rebase.yml b/.github/workflows/command-rebase.yml
index c497cb38e..3a52d6264 100644
--- a/.github/workflows/command-rebase.yml
+++ b/.github/workflows/command-rebase.yml
@@ -9,8 +9,13 @@ on:
   issue_comment:
     types: created
 
+permissions:
+  contents: read
+
 jobs:
   rebase:
+    permissions:
+      contents: none
     runs-on: ubuntu-latest
 
     # On pull requests and if the comment starts with `/rebase`
diff --git a/.github/workflows/dependabot-approve-merge.yml b/.github/workflows/dependabot-approve-merge.yml
index 53ccf2ca9..d3a2f48e5 100644
--- a/.github/workflows/dependabot-approve-merge.yml
+++ b/.github/workflows/dependabot-approve-merge.yml
@@ -11,8 +11,13 @@ on:
       - main
       - stable*
 
+permissions:
+  contents: read
+
 jobs:
   auto-merge:
+    permissions:
+      pull-requests: write  # for hmarr/auto-approve-action to approve PRs
     runs-on: ubuntu-latest
     steps:
       # Default github action approve
diff --git a/.github/workflows/lint-info-xml.yml b/.github/workflows/lint-info-xml.yml
index 31379b79b..1fa5ce2d3 100644
--- a/.github/workflows/lint-info-xml.yml
+++ b/.github/workflows/lint-info-xml.yml
@@ -12,6 +12,9 @@ on:
       - main
       - stable*
 
+permissions:
+  contents: read
+
 jobs:
   xml-linters:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint-php-cs.yml b/.github/workflows/lint-php-cs.yml
index 494d778e9..4cfa9e30e 100644
--- a/.github/workflows/lint-php-cs.yml
+++ b/.github/workflows/lint-php-cs.yml
@@ -12,6 +12,9 @@ on:
       - main
       - stable*
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml
index 68ae194de..fbc2d7ba8 100644
--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@@ -12,6 +12,9 @@ on:
       - main
       - stable*
 
+permissions:
+  contents: read
+
 jobs:
   php-lint:
     runs-on: ubuntu-latest
@@ -35,6 +38,8 @@ jobs:
         run: composer run lint
 
   summary:
+    permissions:
+      contents: none
     runs-on: ubuntu-latest
     needs: php-lint
 
diff --git a/.github/workflows/phpunit.yml b/.github/workflows/phpunit.yml
index b55f56539..90c9ad5f2 100644
--- a/.github/workflows/phpunit.yml
+++ b/.github/workflows/phpunit.yml
@@ -10,6 +10,9 @@ on:
 env:
   APP_NAME: contacts
 
+permissions:
+  contents: read
+
 jobs:
   php:
     runs-on: ubuntu-latest