diff --git a/.github/workflows/cd-config.yml b/.github/workflows/cd-config.yml
index 8c9297ece9..eed4393900 100644
--- a/.github/workflows/cd-config.yml
+++ b/.github/workflows/cd-config.yml
@@ -9,9 +9,13 @@ on:
       - inrupt-client-[0-9]+.[0-9]+.[0-9]+.Alpha[0-9]+
       - inrupt-client-[0-9]+.[0-9]+.[0-9]+.Beta[0-9]+
 
+permissions: {}
+
 jobs:
   deployment:
     name: Deploy artifacts
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     environment:
       name: ${{ matrix.envName }}
diff --git a/.github/workflows/ci-config.yml b/.github/workflows/ci-config.yml
index be1a18bd42..f0974e521f 100644
--- a/.github/workflows/ci-config.yml
+++ b/.github/workflows/ci-config.yml
@@ -5,9 +5,13 @@ on:
   pull_request: { }
   merge_group: { }
 
+permissions: {}
+
 jobs:
   build:
     name: Java environment
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -58,6 +62,8 @@ jobs:
 
   performance:
     name: Performance Tests
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -79,6 +85,8 @@ jobs:
 
   documentation:
     name: Documentation Check
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -99,6 +107,8 @@ jobs:
 
   sonar:
     name: Sonar Scan
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     if: ${{ github.actor != 'dependabot[bot]' }}
 
diff --git a/.github/workflows/site-ci-config.yml b/.github/workflows/site-ci-config.yml
index 97b8ea6cc4..e78e17ffa8 100644
--- a/.github/workflows/site-ci-config.yml
+++ b/.github/workflows/site-ci-config.yml
@@ -6,9 +6,13 @@ on:
     paths:
       - '**/site/**'
 
+permissions: {}
+
 jobs:
   site:
     name: Project site
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix: