diff --git a/.github/workflows/bandit-scan.yml b/.github/workflows/bandit-scan.yml
index 908c64b..61678a8 100644
--- a/.github/workflows/bandit-scan.yml
+++ b/.github/workflows/bandit-scan.yml
@@ -1,5 +1,7 @@
 name: Bandit Scan
 
+permissions: {}
+
 on:
   push:
     branches: [ version-0 ]
@@ -9,14 +11,7 @@ on:
 jobs:
   bandit-security-scan:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-      # Explicitly set permissions, following the principle of least privilege
-      actions: read
-      checks: write
-      pull-requests: write
-    
+
     steps:
     - name: Checkout code
       uses: actions/checkout@v5
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 0656fd7..0a1dd00 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -1,7 +1,6 @@
 name: CI/CD
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   push:
@@ -33,6 +32,8 @@ jobs:
   integration-tests:
     name: Python v${{ matrix.python-version }} - Django ${{ matrix.django-version }}
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # required by aws-actions/configure-aws-credentials
     strategy:
       # If we run more than one job at a time, we will have to have one cluster
       # for each flavor of the job. Otherwise they will interfere with each other
@@ -60,14 +61,7 @@ jobs:
             django-version: '>=5.1,<5.2'
           - python-version: '3.9'
             django-version: '>=5.2,<5.3'
-    permissions:
-      id-token: write
-      contents: read
-      # Explicitly set permissions, following the principle of least privilege
-      actions: read
-      checks: write
-      pull-requests: write
-    
+
     steps:
     - name: Checkout code
       uses: actions/checkout@v5
diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml
index bbe0981..48ca564 100644
--- a/.github/workflows/closed-issue-message.yml
+++ b/.github/workflows/closed-issue-message.yml
@@ -1,12 +1,15 @@
 name: Closed Issue Message
+
+permissions: {}
+
 on:
     issues:
        types: [closed]
-permissions: {}
+
 jobs:
     auto_comment:
         permissions:
-          issues: write # to comment on issues
+          issues: write # required by aws-actions/closed-issue-message
         runs-on: ubuntu-latest
         steps:
         - uses: aws-actions/closed-issue-message@v2
diff --git a/.github/workflows/deps-review.yml b/.github/workflows/deps-review.yml
index c70f70f..caef89a 100644
--- a/.github/workflows/deps-review.yml
+++ b/.github/workflows/deps-review.yml
@@ -1,8 +1,8 @@
 name: 'Dependency Review'
-on: [pull_request]
 
-permissions:
-  contents: read
+permissions: {}
+
+on: [pull_request]
 
 jobs:
   dependency-review:
diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml
index 2b89f2d..a5b1464 100644
--- a/.github/workflows/handle-stale-discussions.yml
+++ b/.github/workflows/handle-stale-discussions.yml
@@ -1,4 +1,7 @@
 name: HandleStaleDiscussions
+
+permissions: {}
+
 on:
   schedule:
     - cron: '0 */4 * * *'
@@ -10,7 +13,7 @@ jobs:
     name: Handle stale discussions
     runs-on: ubuntu-latest
     permissions:
-      discussions: write
+      discussions: write # required by aws-github-ops/handle-stale-discussions
     steps:
       - name: Stale discussions action
         uses: aws-github-ops/handle-stale-discussions@v1
diff --git a/.github/workflows/issue-regression-labeler.yml b/.github/workflows/issue-regression-labeler.yml
index a233f91..cd9fe46 100644
--- a/.github/workflows/issue-regression-labeler.yml
+++ b/.github/workflows/issue-regression-labeler.yml
@@ -1,13 +1,17 @@
 # Apply potential regression label on issues
 name: issue-regression-label
+
+permissions: {}
+
 on:
   issues:
     types: [opened, edited]
+
 jobs:
   add-regression-label:
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write # required to label issues
     steps:
     - name: Fetch template body
       id: check_regression
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b2aa871..fc7b85c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,13 +1,11 @@
 name: Release
 
+permissions: {}
+
 on:
   release:
     types: [ published ]
 
-permissions:
-  contents: write
-  pull-requests: write
-
 env:
   DEFAULT_BRANCH: version-0
 
@@ -47,6 +45,8 @@ jobs:
     needs:
       - build
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # required by rhysd/changelog-from-release
     steps:
       - name: Checkout default branch for changelog
         uses: actions/checkout@v5
@@ -70,7 +70,7 @@ jobs:
       name: testpypi
       url: https://test.pypi.org/p/aurora-dsql-django
     permissions:
-      id-token: write
+      id-token: write # required by pypa/gh-action-pypi-publish
     steps:
       - name: Download all the dists
         uses: actions/download-artifact@v5
@@ -91,7 +91,7 @@ jobs:
       name: pypi
       url: https://pypi.org/p/aurora-dsql-django
     permissions:
-      id-token: write
+      id-token: write # required by pypa/gh-action-pypi-publish
     steps:
       - name: Download all the dists
         uses: actions/download-artifact@v5
diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml
index 8e6444b..74d22ba 100644
--- a/.github/workflows/stale-issues.yml
+++ b/.github/workflows/stale-issues.yml
@@ -1,16 +1,17 @@
 name: "Close stale issues"
 
+permissions: {}
+
 # Controls when the action will run.
 on:
   schedule:
   - cron: "0 0 * * *"
 
-permissions: {}
 jobs:
   cleanup:
     permissions:
-      issues: write # to label, comment and close issues
-      pull-requests: write # to label, comment and close pull requests
+      issues: write # required to label, comment and close issues
+      pull-requests: write # required to label, comment and close pull requests
 
     runs-on: ubuntu-latest
     name: Stale issue job