diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml
index b2ad27f9d2..c68edac0b8 100644
--- a/.github/workflows/ci-java.yml
+++ b/.github/workflows/ci-java.yml
@@ -15,10 +15,12 @@ on:
       - main
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   build:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/close-stale.yaml b/.github/workflows/close-stale.yaml
index 55faf33f71..d15a6768a2 100644
--- a/.github/workflows/close-stale.yaml
+++ b/.github/workflows/close-stale.yaml
@@ -4,11 +4,13 @@ on:
     - cron: "40 3 * * *" # Run daily at 3:40 AM
 
 permissions:
-  issues: write
-  pull-requests: write
+  contents: read
 
 jobs:
   stale:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
diff --git a/.github/workflows/publish-layer-collector.yml b/.github/workflows/publish-layer-collector.yml
index dbcb953295..4b8cd9656d 100644
--- a/.github/workflows/publish-layer-collector.yml
+++ b/.github/workflows/publish-layer-collector.yml
@@ -117,6 +117,9 @@ jobs:
           fi
           echo "release_jobs={"architecture": ${architectures}, "aws_region": ${aws_regions}}" | tr -d '[:space:]' >> $GITHUB_OUTPUT
   release-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: prepare-release-jobs
     strategy:
diff --git a/.github/workflows/release-layer-collector.yml b/.github/workflows/release-layer-collector.yml
index 2f0f691185..300fa4ca59 100644
--- a/.github/workflows/release-layer-collector.yml
+++ b/.github/workflows/release-layer-collector.yml
@@ -7,7 +7,6 @@ on:
       - layer-collector/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -59,6 +58,9 @@ jobs:
           echo "COLLECTOR_VERSION=$COLLECTOR_VERSION" >> $GITHUB_OUTPUT
 
   publish-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:
diff --git a/.github/workflows/release-layer-java.yml b/.github/workflows/release-layer-java.yml
index 7aef17738c..0b142cec7e 100644
--- a/.github/workflows/release-layer-java.yml
+++ b/.github/workflows/release-layer-java.yml
@@ -7,7 +7,6 @@ on:
       - layer-javaagent/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -80,6 +79,9 @@ jobs:
           echo "JAVAWRAPPER_VERSION=$JAVAWRAPPER_VERSION" >> $GITHUB_OUTPUT
 
   publish-javaagent-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:
@@ -114,6 +116,9 @@ jobs:
     secrets: inherit
 
   publish-javawrapper-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:
diff --git a/.github/workflows/release-layer-nodejs.yml b/.github/workflows/release-layer-nodejs.yml
index b787a5f203..b688e6a3a2 100644
--- a/.github/workflows/release-layer-nodejs.yml
+++ b/.github/workflows/release-layer-nodejs.yml
@@ -7,7 +7,6 @@ on:
       - layer-nodejs/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -65,6 +64,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:
diff --git a/.github/workflows/release-layer-python.yml b/.github/workflows/release-layer-python.yml
index a146d2a9be..9c1387ef29 100644
--- a/.github/workflows/release-layer-python.yml
+++ b/.github/workflows/release-layer-python.yml
@@ -7,7 +7,6 @@ on:
       - layer-python/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -72,6 +71,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy:
diff --git a/.github/workflows/release-layer-ruby.yml b/.github/workflows/release-layer-ruby.yml
index 523c28fbc4..2eccb916d2 100644
--- a/.github/workflows/release-layer-ruby.yml
+++ b/.github/workflows/release-layer-ruby.yml
@@ -7,7 +7,6 @@ on:
       - layer-ruby/**
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
@@ -64,6 +63,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish-layer:
+    permissions: # required by the reusable workflow
+      contents: read
+      id-token: write
     uses: ./.github/workflows/layer-publish.yml
     needs: build-layer
     strategy: