diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml
index d3a9af06..b6a006d0 100644
--- a/.github/workflows/continuous-integration-workflow.yml
+++ b/.github/workflows/continuous-integration-workflow.yml
@@ -11,6 +11,9 @@ on:
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/pr-build-workflow.yml b/.github/workflows/pr-build-workflow.yml
index 563a48e1..ec05df5c 100644
--- a/.github/workflows/pr-build-workflow.yml
+++ b/.github/workflows/pr-build-workflow.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - '**'
 
+permissions:
+  contents: read
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
 
diff --git a/.github/workflows/update-scheduled-release-version.yml b/.github/workflows/update-scheduled-release-version.yml
index 5c0a574c..cc67c2f3 100644
--- a/.github/workflows/update-scheduled-release-version.yml
+++ b/.github/workflows/update-scheduled-release-version.yml
@@ -3,6 +3,9 @@ name: Update Scheduled Release Version
 on:
   workflow_dispatch: # Manual trigger only. Triggered by release-scheduler.yml on main.
 
+permissions:
+  contents: read
+
 jobs:
   update-scheduled-release-version:
     name: Update Scheduled Release Version