diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index 3847327638..a40d4e4690 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -10,6 +10,9 @@ on:
     branches:
       - "**"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index bf2f5d53d2..9f17a02c85 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,13 +8,14 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     strategy:
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index e340db36d0..24642b3453 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -7,6 +7,9 @@ on:
     tags:
       - '*'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   docker:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/rit.yml b/.github/workflows/rit.yml
index 3b18c3b0dd..e9e10c9a63 100644
--- a/.github/workflows/rit.yml
+++ b/.github/workflows/rit.yml
@@ -17,6 +17,9 @@ on:
         required: false
         default: 'master'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   rootstock-integration-tests:
     name: Rootstock Integration Tests