diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index f21b0092..48268489 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -1,4 +1,6 @@
 name: Lint GitHub Actions
+permissions:
+  contents: read
 on:
   push:
     paths: ['.github/**']
diff --git a/.github/workflows/check-code-hygiene.yml b/.github/workflows/check-code-hygiene.yml
index ab18810a..72960706 100644
--- a/.github/workflows/check-code-hygiene.yml
+++ b/.github/workflows/check-code-hygiene.yml
@@ -1,5 +1,6 @@
 name: Code Hygiene
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/check-test-coverage.yml b/.github/workflows/check-test-coverage.yml
index 3daafea2..82d47c31 100644
--- a/.github/workflows/check-test-coverage.yml
+++ b/.github/workflows/check-test-coverage.yml
@@ -1,5 +1,4 @@
 name: Jest Coverage Check
-
 on:
   push:
     branches: [main]
@@ -11,6 +10,10 @@ jobs:
     name: Jest Test with Coverage Check
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      actions: write
+
     steps:
       - name: Check out code
         uses: actions/checkout@v4
diff --git a/.github/workflows/production-deploy.yml b/.github/workflows/production-deploy.yml
index dec2b21f..c39f49c2 100644
--- a/.github/workflows/production-deploy.yml
+++ b/.github/workflows/production-deploy.yml
@@ -1,5 +1,6 @@
 name: Deploy Production
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/staging-deploy.yml b/.github/workflows/staging-deploy.yml
index 1f6f3563..a94a0faa 100644
--- a/.github/workflows/staging-deploy.yml
+++ b/.github/workflows/staging-deploy.yml
@@ -1,5 +1,6 @@
 name: Deploy Staging
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
   push: