diff --git a/.github/workflows/buildcache.yml b/.github/workflows/buildcache.yml
index 1c54f805e..0d9fd91b8 100644
--- a/.github/workflows/buildcache.yml
+++ b/.github/workflows/buildcache.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-code-style:
     strategy:
diff --git a/.github/workflows/cancel_actions.yml b/.github/workflows/cancel_actions.yml
index f2102e818..9b5192e00 100644
--- a/.github/workflows/cancel_actions.yml
+++ b/.github/workflows/cancel_actions.yml
@@ -8,6 +8,9 @@ on:
 
 # See https://github.com/potiuk/cancel-workflow-runs#most-often-used-canceling-example
 
+permissions:
+  actions: write
+
 jobs:
   cancel-duplicate-workflow-runs:
     name: "Cancel duplicate workflow runs"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e79be088a..55eb47cef 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-code-style:
     name: 'Ubuntu, code style (JDK 8)'
diff --git a/.github/workflows/maven_release.yml b/.github/workflows/maven_release.yml
index 7893df731..cb026530c 100644
--- a/.github/workflows/maven_release.yml
+++ b/.github/workflows/maven_release.yml
@@ -5,6 +5,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-latest-aurora-release-to-maven:
     name: 'Build And Release to Maven'
diff --git a/.github/workflows/remove-old-artifacts.yml b/.github/workflows/remove-old-artifacts.yml
index 061a7b566..135025a5a 100644
--- a/.github/workflows/remove-old-artifacts.yml
+++ b/.github/workflows/remove-old-artifacts.yml
@@ -7,6 +7,9 @@ on:
     # Every day at 1am
     - cron: '0 1 * * *'
 
+permissions:
+  actions: write
+
 jobs:
   remove-old-artifacts:
     runs-on: ubuntu-latest