diff --git a/.github/workflows/call-contributor-issue-comment.yml b/.github/workflows/call-contributor-issue-comment.yml
index 4e8b7db1c3..a47ee7b28d 100644
--- a/.github/workflows/call-contributor-issue-comment.yml
+++ b/.github/workflows/call-contributor-issue-comment.yml
@@ -4,6 +4,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   call-workflow:
     uses: learningequality/.github/.github/workflows/contributor-issue-comment.yml@main
diff --git a/.github/workflows/call-contributor-pr-reply.yml b/.github/workflows/call-contributor-pr-reply.yml
index e8316e041b..ac84d3db82 100644
--- a/.github/workflows/call-contributor-pr-reply.yml
+++ b/.github/workflows/call-contributor-pr-reply.yml
@@ -2,6 +2,10 @@ name: Send reply on a new contributor pull request
 on:
   pull_request_target:
     types: [opened]
+
+permissions:
+  contents: read
+
 jobs:
   call-workflow:
     name: Call shared workflow
diff --git a/.github/workflows/call-manage-issue-header.yml b/.github/workflows/call-manage-issue-header.yml
index 4af6730ac2..c511eef0b2 100644
--- a/.github/workflows/call-manage-issue-header.yml
+++ b/.github/workflows/call-manage-issue-header.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types: [opened, reopened, labeled, unlabeled]
 
+permissions:
+  contents: read
+
 jobs:
   call-workflow:
     name: Call shared workflow
diff --git a/.github/workflows/call-pull-request-target.yml b/.github/workflows/call-pull-request-target.yml
index e499bcddf8..d3cc282b91 100644
--- a/.github/workflows/call-pull-request-target.yml
+++ b/.github/workflows/call-pull-request-target.yml
@@ -2,6 +2,10 @@ name: Handle pull request events
 on:
   pull_request_target:
     types: [opened, review_requested, labeled]
+
+permissions:
+  contents: read
+
 jobs:
   call-workflow:
     name: Call shared workflow
diff --git a/.github/workflows/call-update-pr-spreadsheet.yml b/.github/workflows/call-update-pr-spreadsheet.yml
index 35464d6b02..5972bbc785 100644
--- a/.github/workflows/call-update-pr-spreadsheet.yml
+++ b/.github/workflows/call-update-pr-spreadsheet.yml
@@ -3,6 +3,9 @@ on:
   pull_request_target:
     types: [assigned, unassigned, opened, closed, reopened, edited, review_requested, review_request_removed]
 
+permissions:
+  contents: read
+
 jobs:
   call-workflow:
     name: Call shared workflow
diff --git a/.github/workflows/community-contribution-labeling.yml b/.github/workflows/community-contribution-labeling.yml
index 701465ba1c..57953db099 100644
--- a/.github/workflows/community-contribution-labeling.yml
+++ b/.github/workflows/community-contribution-labeling.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types: [assigned, unassigned]
 
+permissions:
+  contents: read
+
 jobs:
   call-label-action:
     uses: learningequality/.github/.github/workflows/community-contribution-label.yml@main
diff --git a/.github/workflows/containerbuild.yml b/.github/workflows/containerbuild.yml
index 0dc9af1f07..f46f47d079 100644
--- a/.github/workflows/containerbuild.yml
+++ b/.github/workflows/containerbuild.yml
@@ -10,6 +10,10 @@ on:
     - 'v*'
   pull_request:
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   pre_postgres:
     name: Path match check - postgres
diff --git a/.github/workflows/deploytest.yml b/.github/workflows/deploytest.yml
index 03f71f6ce7..8d29504876 100644
--- a/.github/workflows/deploytest.yml
+++ b/.github/workflows/deploytest.yml
@@ -8,6 +8,10 @@ on:
     - master
   pull_request:
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   pre_job:
     name: Path match check
diff --git a/.github/workflows/frontendtest.yml b/.github/workflows/frontendtest.yml
index 76de0dad94..e995328d09 100644
--- a/.github/workflows/frontendtest.yml
+++ b/.github/workflows/frontendtest.yml
@@ -8,6 +8,10 @@ on:
     - master
   pull_request:
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   pre_job:
     name: Path match check
diff --git a/.github/workflows/i18n-download.yml b/.github/workflows/i18n-download.yml
index b4810d331d..cdaa38687a 100644
--- a/.github/workflows/i18n-download.yml
+++ b/.github/workflows/i18n-download.yml
@@ -3,6 +3,9 @@ name: Download translations from Crowdin
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   download:
     name: Download translations and update files
diff --git a/.github/workflows/i18n-upload.yml b/.github/workflows/i18n-upload.yml
index 38816e944d..8235a53de9 100644
--- a/.github/workflows/i18n-upload.yml
+++ b/.github/workflows/i18n-upload.yml
@@ -3,6 +3,9 @@ name: Upload translations to Crowdin
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   upload:
     name: Extract and upload strings to Crowdin
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 14ff4ac2fd..6efea7fad5 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -12,6 +12,9 @@ on:
     - hotfixes
     - master
 
+permissions:
+  contents: read
+
 jobs:
   pre_job:
     name: Path match check
diff --git a/.github/workflows/pythontest.yml b/.github/workflows/pythontest.yml
index e77c613e69..0c4a0545ca 100644
--- a/.github/workflows/pythontest.yml
+++ b/.github/workflows/pythontest.yml
@@ -8,6 +8,10 @@ on:
     - master
   pull_request:
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   pre_job:
     name: Path match check
diff --git a/.github/workflows/unassign-inactive.yaml b/.github/workflows/unassign-inactive.yaml
index 4151166a6d..78f2e110b4 100644
--- a/.github/workflows/unassign-inactive.yaml
+++ b/.github/workflows/unassign-inactive.yaml
@@ -6,6 +6,9 @@ on:
     - cron: "1 0 * * 1" # Every Monday at 00:01 UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   unassign-inactive:
     uses: learningequality/.github/.github/workflows/unassign-inactive-issues.yaml@main