diff --git a/.github/workflows/codacy-analysis.yml b/.github/workflows/codacy-analysis.yml
index b388e8c911e..04d1bc639bb 100644
--- a/.github/workflows/codacy-analysis.yml
+++ b/.github/workflows/codacy-analysis.yml
@@ -17,6 +17,8 @@ on:
   schedule:
     - cron: '32 4 * * 0'
 
+permissions: {}
+
 jobs:
   codacy-security-scan:
     name: Codacy Security Scan
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index acde4702b14..bcb9b11e4cb 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,11 @@ on:
   schedule:
     - cron: '0 14 * * 6'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index cf03a984f2e..6cf17228d71 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -22,6 +22,8 @@ on:
     - 'win.version-info.txt.in'
   pull_request:
 
+permissions: {}
+
 jobs:
   package-macos:
     runs-on: macos-11
@@ -240,6 +242,8 @@ jobs:
       - package-macos
       - package-windows
       - package-pypi
+    permissions:
+      contents: write
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-python@v4
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
index 5f3b1e1a12b..35bebda8074 100644
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -2,6 +2,7 @@ name: Package for PyPI
 
 on: [workflow_call]
 
+permissions: {}
 defaults:
   run:
     shell: bash
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index 285a139d990..015c8894334 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -1,6 +1,7 @@
 name: Run tests
 
 on: [push, pull_request]
+permissions: {}
 
 jobs:
   test-latest: