diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 26eb1ad3de..3d22b2d0e5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -12,8 +12,15 @@ concurrency:
   group: "${{ github.workflow }}-${{ github.head_ref || github.run_id }}"
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL:
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/analyze to upload SARIF results
     if: ${{!github.event.repository.private}}
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/production-suite.yml b/.github/workflows/production-suite.yml
index afdadb860a..0358ac04f1 100644
--- a/.github/workflows/production-suite.yml
+++ b/.github/workflows/production-suite.yml
@@ -33,6 +33,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   production_build:
     # This job builds a release tarball from the current commit, which
diff --git a/.github/workflows/update-oneclick-apps.yml b/.github/workflows/update-oneclick-apps.yml
index ad34a2fa0e..4d39e36f2c 100644
--- a/.github/workflows/update-oneclick-apps.yml
+++ b/.github/workflows/update-oneclick-apps.yml
@@ -2,6 +2,9 @@ name: Update one click apps
 on:
   release:
     types: [published]
+permissions:
+  contents: read
+
 jobs:
   update-digitalocean-oneclick-app:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/zulip-ci.yml b/.github/workflows/zulip-ci.yml
index fe3c24aa13..fcc0d1b295 100644
--- a/.github/workflows/zulip-ci.yml
+++ b/.github/workflows/zulip-ci.yml
@@ -19,6 +19,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     strategy: