diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
index d06349096..587f62170 100644
--- a/.github/workflows/backend.yml
+++ b/.github/workflows/backend.yml
@@ -20,6 +20,9 @@ on:
       - 'backend/**'
       - '.github/workflows/backend.yml'
 
+permissions:
+  contents: read
+
 jobs:
   generate-lockfile:
     name: Generate lockfile
diff --git a/.github/workflows/compress-images.yml b/.github/workflows/compress-images.yml
index ddae41826..eaed3cf92 100644
--- a/.github/workflows/compress-images.yml
+++ b/.github/workflows/compress-images.yml
@@ -16,6 +16,10 @@ on:
       - '**.webp'
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   compress-images:
     name: Compress images
diff --git a/.github/workflows/frontend-admin.yml b/.github/workflows/frontend-admin.yml
index e1bbd3ac2..1e0640490 100644
--- a/.github/workflows/frontend-admin.yml
+++ b/.github/workflows/frontend-admin.yml
@@ -8,6 +8,10 @@ on:
     paths:
       - 'frontend-admin/**'
       - '.github/workflows/frontend-admin.yml'
+
+permissions:
+  contents: read
+
 jobs:
   run-tests:
     name: Run tests
diff --git a/.github/workflows/frontend-base-workflow.yml b/.github/workflows/frontend-base-workflow.yml
index 95cfa6bdd..c047b6367 100644
--- a/.github/workflows/frontend-base-workflow.yml
+++ b/.github/workflows/frontend-base-workflow.yml
@@ -22,6 +22,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   run-tests:
     name: Run tests
diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
index f93c6b622..dfe124278 100644
--- a/.github/workflows/frontend.yml
+++ b/.github/workflows/frontend.yml
@@ -8,6 +8,10 @@ on:
     paths:
       - 'frontend/**'
       - '.github/workflows/frontend.yml'
+
+permissions:
+  contents: read
+
 jobs:
   run-tests:
     name: Run tests
diff --git a/.github/workflows/schema-validation.yml b/.github/workflows/schema-validation.yml
index c645f877a..962e19faa 100644
--- a/.github/workflows/schema-validation.yml
+++ b/.github/workflows/schema-validation.yml
@@ -7,6 +7,9 @@ on:
       - 'backend/**'
       - '.github/workflows/schema-validation.yml'
 
+permissions:
+  contents: read
+
 jobs:
   validate-schema:
     name: OpenAPI schema validation