diff --git a/.github/workflows/build-and-deploy-snapshot.yml b/.github/workflows/build-and-deploy-snapshot.yml
index 1c033af82e2..d3d94b04d4a 100644
--- a/.github/workflows/build-and-deploy-snapshot.yml
+++ b/.github/workflows/build-and-deploy-snapshot.yml
@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - 'main'
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 40501dccc18..6e7d164dd2a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - 'main'
+permissions:
+  contents: read
 jobs:
   ci:
     name: '${{ matrix.os.name}} | Java ${{ matrix.java.version}}'
diff --git a/.github/workflows/distribute.yml b/.github/workflows/distribute.yml
index eebe17b4159..e8462178fe5 100644
--- a/.github/workflows/distribute.yml
+++ b/.github/workflows/distribute.yml
@@ -15,6 +15,8 @@ on:
         description: 'Version to bundle and distribute'
         required: true
         type: string
+permissions:
+  contents: read
 jobs:
   distribute-spring-enterprise-release-bundle:
     runs-on: ${{ vars.UBUNTU_SMALL || 'ubuntu-latest' }}
diff --git a/.github/workflows/release-milestone.yml b/.github/workflows/release-milestone.yml
index 5afd919200e..32d41c978b6 100644
--- a/.github/workflows/release-milestone.yml
+++ b/.github/workflows/release-milestone.yml
@@ -4,6 +4,8 @@ on:
     tags:
       - v4.0.0-M[0-9]
       - v4.0.0-RC[0-9]
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7e2fa23a929..62a6c727749 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,8 @@ on:
   push:
     tags:
       - v4.0.[0-9]+
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/run-codeql-analysis.yml b/.github/workflows/run-codeql-analysis.yml
new file mode 100644
index 00000000000..13962090949
--- /dev/null
+++ b/.github/workflows/run-codeql-analysis.yml
@@ -0,0 +1,15 @@
+name: "Run CodeQL Analysis"
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 5 * * *'
+permissions: read-all
+jobs:
+  run-analysis:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@6e66995f7d29de1e4ff76e4f0def7a10163fe910
diff --git a/.github/workflows/run-system-tests.yml b/.github/workflows/run-system-tests.yml
index 154fa471248..982bc156a3e 100644
--- a/.github/workflows/run-system-tests.yml
+++ b/.github/workflows/run-system-tests.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - 'main'
+permissions:
+  contents: read
 jobs:
   run-system-tests:
     name: 'Java ${{ matrix.java.version}}'
diff --git a/.github/workflows/trigger-docs-build.yml b/.github/workflows/trigger-docs-build.yml
index 4b4e6058b85..a6e8e3bfaef 100644
--- a/.github/workflows/trigger-docs-build.yml
+++ b/.github/workflows/trigger-docs-build.yml
@@ -12,12 +12,14 @@ on:
         description: 'Version being build (e.g. 1.0.3-SNAPSHOT)'
         required: false  
 permissions:
-  actions: write
+  contents: read
 jobs:
   trigger-docs-build:
     name: Trigger Docs Build
     if: github.repository_owner == 'spring-projects'
     runs-on: ${{ vars.UBUNTU_SMALL || 'ubuntu-latest' }}
+    permissions:
+      actions: write
     steps:
     - name: Check Out
       uses: actions/checkout@v4