diff --git a/.github/workflows/buildmgr.yml b/.github/workflows/buildmgr.yml
index 90809aeb9..a00facdae 100644
--- a/.github/workflows/buildmgr.yml
+++ b/.github/workflows/buildmgr.yml
@@ -119,6 +119,8 @@ jobs:
         ((github.event.schedule != '') && (!github.event.repository.private))
     runs-on: ubuntu-22.04
     timeout-minutes: 5
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         if: ${{ !github.event.repository.private }}
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 9c6738f46..32b2a4058 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -6,7 +6,7 @@ on:
     - cron: '0 0 * * *'
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   buildmgr:
diff --git a/.github/workflows/packchk.yml b/.github/workflows/packchk.yml
index e98ae3eb5..c4d3269af 100644
--- a/.github/workflows/packchk.yml
+++ b/.github/workflows/packchk.yml
@@ -329,15 +329,14 @@ jobs:
           if-no-files-found: error
 
   release:
-    permissions:
-      contents: write
     if: |
         github.event_name == 'release' &&
         startsWith(github.ref, 'refs/tags/tools/packchk/')
     needs: [ build, test, coverage ]
     runs-on: ubuntu-22.04
     timeout-minutes: 15
-
+    permissions:
+      contents: write
     steps:
       - name: Checkout devtools
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
diff --git a/.github/workflows/svdconv.yml b/.github/workflows/svdconv.yml
index 21324d02c..2f275010b 100644
--- a/.github/workflows/svdconv.yml
+++ b/.github/workflows/svdconv.yml
@@ -333,7 +333,8 @@ jobs:
     needs: [ build, test, coverage ]
     runs-on: ubuntu-22.04
     timeout-minutes: 15
-
+    permissions:
+      contents: write
     steps:
       - name: Checkout devtools
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
diff --git a/.github/workflows/unit_test_results.yml b/.github/workflows/unit_test_results.yml
index f71a1914c..d16215247 100644
--- a/.github/workflows/unit_test_results.yml
+++ b/.github/workflows/unit_test_results.yml
@@ -8,15 +8,11 @@ on:
     types:
       - completed
 
-permissions:
-  contents: read
-
 jobs:
   publish-test-results:
     name: Publish Test Results
     runs-on: ubuntu-22.04
     if: github.event.workflow_run.conclusion != 'skipped'
-
     steps:
       - name: Harden Runner
         if: ${{ !github.event.repository.private }}