diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e814b72f..20607737 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -9,10 +9,7 @@ on:
       - main
 
 permissions:
-  actions: read
-  checks: write
   contents: read
-  security-events: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -22,6 +19,11 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      contents: read
+      security-events: write
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml
index 08613ccd..ac4769c3 100644
--- a/.github/workflows/markdown.yml
+++ b/.github/workflows/markdown.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   linter:
     name: Lint Markdown Files
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
index e87a62f7..cac07bcb 100644
--- a/.github/workflows/mkdocs.yml
+++ b/.github/workflows/mkdocs.yml
@@ -5,8 +5,7 @@ on:
       - '.github/workflows/mkdocs.yml'
       - 'docs/**/*'
   push:
-    branches:
-      main
+    branches: [ main ]
     paths:
       - '.github/workflows/mkdocs.yml'
       - 'docs/**/*'
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 2f1a487a..e0ee0dc8 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -11,8 +11,8 @@ on:
   push:
     branches: [ "main" ]
 
-# Declare default permissions as read-only.
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis: