diff --git a/.github/workflows/checkDependencies.yml b/.github/workflows/checkDependencies.yml
index 40425788ba1..005ee4a16e6 100644
--- a/.github/workflows/checkDependencies.yml
+++ b/.github/workflows/checkDependencies.yml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron:  '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   check-dependencies:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/checkDependencies.yml@master
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fde222c38eb..884cbf53ea5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,6 +15,9 @@ on:
       - 'docs/**'
       - '*.md'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/mavenBuild.yml@master
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 46f3230490a..cc669cadbcb 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '15 8 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   callCodeQLworkflow:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/codeQLworkflow.yml@master
diff --git a/.github/workflows/doCleanCode.yml b/.github/workflows/doCleanCode.yml
index 2242d3adba8..a976c24d7db 100644
--- a/.github/workflows/doCleanCode.yml
+++ b/.github/workflows/doCleanCode.yml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron:  '0 2 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   clean-code:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/cleanCode.yml@master
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index d8dfc50969a..61e4a4b4792 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   check-freeze-period:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/verifyFreezePeriod.yml@master
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 32759a5869b..f5650319d91 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
     check:
        uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/publishTestResults.yml@master
diff --git a/.github/workflows/version-increments.yml b/.github/workflows/version-increments.yml
index 7f0450b41ac..c4d9915aefb 100644
--- a/.github/workflows/version-increments.yml
+++ b/.github/workflows/version-increments.yml
@@ -5,6 +5,9 @@ on:
     workflows: [ 'Pull-Request Checks' ]
     types: [ completed ]
 
+permissions:
+  contents: read
+
 jobs:
   publish-version-check-results:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/publishVersionCheckResults.yml@master