diff --git a/.github/workflows/check-pull-request-no-dist-change.yml b/.github/workflows/check-pull-request-no-dist-change.yml
index 20fb779..c9ed4dd 100644
--- a/.github/workflows/check-pull-request-no-dist-change.yml
+++ b/.github/workflows/check-pull-request-no-dist-change.yml
@@ -8,6 +8,9 @@ on:
     paths:
       - 'action/index.js'
 
+permissions:
+  contents: read
+
 jobs:
   check-no-dist-update:
     name: Check no dist update
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index addb141..fdaaed8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on: # rebuild any PRs and main branch changes
       - main
       - 'releases/*'
 
+permissions:
+  contents: read
+
 jobs:
   build: # make sure build/ci work properly
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 480f781..722c6a3 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,6 +9,11 @@ on:
   schedule:
     - cron: '24 4 * * 6'
 
+permissions:
+  contents: read
+  # Allow uploading CodeQL results
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/update-checksums-file.yml b/.github/workflows/update-checksums-file.yml
index a197eac..eb3b479 100644
--- a/.github/workflows/update-checksums-file.yml
+++ b/.github/workflows/update-checksums-file.yml
@@ -7,6 +7,12 @@ on:
   # Support running workflow manually
   workflow_dispatch:
 
+permissions:
+  # Allow creation of branch for checksums file update
+  contents: write
+  # Allow creation of pull request
+  pull-requests: write
+
 jobs:
   update-checksums:
     name: Update checksums
diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml
index 8dfe189..2573378 100644
--- a/.github/workflows/update-dist.yml
+++ b/.github/workflows/update-dist.yml
@@ -4,14 +4,14 @@ on:
     branches:
       - main
 
+permissions:
+  # Allow the workflow to push the changed file to the repository
+  contents: write
+
 jobs:
   update-dist:
     runs-on: ubuntu-latest
 
-    permissions:
-      # Allow the job to push the changed file to the repository
-      contents: write
-
     steps:
     - uses: actions/checkout@v4