diff --git a/.github/workflows/PR-Demo-cleanup.yml b/.github/workflows/PR-Demo-cleanup.yml
index 593dbe88bd0..6ed7bea88d7 100644
--- a/.github/workflows/PR-Demo-cleanup.yml
+++ b/.github/workflows/PR-Demo-cleanup.yml
@@ -4,9 +4,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, closed]
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: read-all
 
 env:
   SERVER_IP: ${{ secrets.VPS_IP }}  # Add this to your GitHub secrets
@@ -15,6 +13,9 @@ env:
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.event.action == 'closed'
 
     steps:
diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml
index 8856314ac67..3495f7ae07c 100644
--- a/.github/workflows/auto-labeler.yml
+++ b/.github/workflows/auto-labeler.yml
@@ -3,13 +3,13 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
-permissions:
-  contents: read
-  pull-requests: write
+permissions: read-all
 
 jobs:
   labeler:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
diff --git a/.github/workflows/licenses-update.yml b/.github/workflows/licenses-update.yml
index fcbb2b2389e..8c1e1c29d83 100644
--- a/.github/workflows/licenses-update.yml
+++ b/.github/workflows/licenses-update.yml
@@ -7,14 +7,14 @@ on:
     paths:
       - "build.gradle"
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: read-all
 
 jobs:
   generate-license-report:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
diff --git a/.github/workflows/manage-label.yml b/.github/workflows/manage-label.yml
index a58c3681448..05367ee8c1f 100644
--- a/.github/workflows/manage-label.yml
+++ b/.github/workflows/manage-label.yml
@@ -4,14 +4,14 @@ on:
   schedule:
     - cron: "30 20 * * *"
 
-permissions:
-  contents: read
-  issues: write
+permissions: read-all
 
 jobs:
   labeler:
     name: Labeler
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
diff --git a/.github/workflows/multiOSReleases.yml b/.github/workflows/multiOSReleases.yml
index b3973d39206..2792a909031 100644
--- a/.github/workflows/multiOSReleases.yml
+++ b/.github/workflows/multiOSReleases.yml
@@ -4,9 +4,9 @@ on:
   workflow_dispatch:
   release:
     types: [created]
-permissions:
-  contents: write
-  packages: write
+
+permissions: read-all
+
 jobs:
   build-installers:
     strategy:
@@ -22,6 +22,9 @@ jobs:
          #  platform: linux
          #  ext: deb
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: write
+      packages: write
 
     steps:
       - name: Harden Runner
diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml
index 45907e7475d..a36aec1a457 100644
--- a/.github/workflows/push-docker.yml
+++ b/.github/workflows/push-docker.yml
@@ -7,13 +7,13 @@ on:
       - master
       - main
 
-permissions:
-  contents: read
-  packages: write
+permissions: read-all
 
 jobs:
   push:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
diff --git a/.github/workflows/releaseArtifacts.yml b/.github/workflows/releaseArtifacts.yml
index 5bee97c5e8d..ceaa1d0f2b9 100644
--- a/.github/workflows/releaseArtifacts.yml
+++ b/.github/workflows/releaseArtifacts.yml
@@ -4,12 +4,15 @@ on:
   workflow_dispatch:
   release:
     types: [created]
-permissions:
-  contents: write
-  packages: write
+
+permissions: read-all
+
 jobs:
   push:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
     strategy:
       matrix:
         enable_security: [true, false]
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index f8631b55b8d..3746016ce29 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -5,8 +5,7 @@ on:
     - cron: "30 0 * * *"
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   stale:
diff --git a/.github/workflows/swagger.yml b/.github/workflows/swagger.yml
index 7d5cbab7c94..5022086845b 100644
--- a/.github/workflows/swagger.yml
+++ b/.github/workflows/swagger.yml
@@ -6,6 +6,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   push:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sync_files.yml b/.github/workflows/sync_files.yml
index b3f74275f68..fc4a2fce384 100644
--- a/.github/workflows/sync_files.yml
+++ b/.github/workflows/sync_files.yml
@@ -9,13 +9,14 @@ on:
       - "src/main/resources/messages_*.properties"
       - "scripts/ignore_translation.toml"
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: read-all
 
 jobs:
   sync-readme:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2