diff --git a/.github/workflows/backend-ci.yaml b/.github/workflows/backend-ci.yaml
index 99446f9a1..3f7611bd5 100644
--- a/.github/workflows/backend-ci.yaml
+++ b/.github/workflows/backend-ci.yaml
@@ -12,6 +12,10 @@ on:
       - 'backend/**'
       - '.github/workflows/backend-ci.yaml'
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   golang-lint:
     name: Golang CI Lint
@@ -33,10 +37,10 @@ jobs:
         run: |
           # Install golangci-lint
           curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.2.1
-          
+
           # Add golangci-lint to PATH
           export PATH=$PATH:$(go env GOPATH)/bin
-          
+
           # Run golangci-lint
           golangci-lint run --config ../.github/.golangci.yaml
 
@@ -70,4 +74,4 @@ jobs:
           slug: coze-dev/cozeloop
           fail_ci_if_error: false
           verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
\ No newline at end of file
+          token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/frontend-ci.yaml b/.github/workflows/frontend-ci.yaml
index 7669f422d..6ff3c5a8a 100644
--- a/.github/workflows/frontend-ci.yaml
+++ b/.github/workflows/frontend-ci.yaml
@@ -13,6 +13,10 @@ on:
       - '.github/workflows/frontend-ci.yaml'
   workflow_dispatch:
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   setup:
     name: Build All
diff --git a/.github/workflows/frontend-tsc-ci.yaml b/.github/workflows/frontend-tsc-ci.yaml
index c12d962e2..ce1b86ccc 100644
--- a/.github/workflows/frontend-tsc-ci.yaml
+++ b/.github/workflows/frontend-tsc-ci.yaml
@@ -13,6 +13,10 @@ on:
       - '.github/workflows/frontend-tsc-ci.yaml'
   workflow_dispatch:
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   setup:
     name: TS Check
diff --git a/.github/workflows/idl.yaml b/.github/workflows/idl.yaml
index 4d1bc4e09..277d031f4 100644
--- a/.github/workflows/idl.yaml
+++ b/.github/workflows/idl.yaml
@@ -1,6 +1,6 @@
 name: Thrift Syntax Validation
 
-on: 
+on:
   push:
     paths:
       - 'idl/**'
@@ -10,6 +10,10 @@ on:
       - 'idl/**'
       - '.github/workflows/idl.yaml'
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   validate-thrift:
     runs-on: ubuntu-latest
@@ -32,15 +36,15 @@ jobs:
         run: |
           # Initialize error flag
           ERROR_FOUND=0
-          
+
           # Create temporary working directory
           TEMP_DIR=$(mktemp -d)
           echo "Created temporary working directory: $TEMP_DIR"
-          
+
           # Initialize go mod in temp directory
           cd "$TEMP_DIR"
           go mod init dummy
-          
+
           # Find all thrift files and validate them
           while IFS= read -r -d '' thrift_file; do
             echo "Validating $thrift_file..."
@@ -49,12 +53,12 @@ jobs:
               ERROR_FOUND=1
             fi
           done < <(find "$GITHUB_WORKSPACE/idl" -name '*.thrift' -print0)
-          
+
           # Clean up temporary directory
           cd "$GITHUB_WORKSPACE"
           rm -rf "$TEMP_DIR"
           echo "Cleaned up temporary working directory"
-          
+
           # Exit with appropriate status
           if [ $ERROR_FOUND -eq 1 ]; then
             echo "Thrift validation failed. Please check the errors above."
@@ -62,4 +66,4 @@ jobs:
           else
             echo "All Thrift files validated successfully!"
             exit 0
-          fi
\ No newline at end of file
+          fi
diff --git a/.github/workflows/issue-sync.yaml b/.github/workflows/issue-sync.yaml
index e7161cf4a..2d0e80b16 100644
--- a/.github/workflows/issue-sync.yaml
+++ b/.github/workflows/issue-sync.yaml
@@ -4,6 +4,10 @@ on:
   issues:
     types: ['opened', 'reopened']
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   sync:
     name: Sync Issues
diff --git a/.github/workflows/license-check.yaml b/.github/workflows/license-check.yaml
index c0be46f52..615742aed 100644
--- a/.github/workflows/license-check.yaml
+++ b/.github/workflows/license-check.yaml
@@ -6,7 +6,11 @@ on:
   pull_request:
     branches: ['main']
   workflow_dispatch:
-    
+
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   license-check:
     name: License Check
@@ -16,11 +20,11 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: 1.23
-          
+
       - name: Install license-eye
         run: |
           go install github.com/apache/skywalking-eyes/cmd/license-eye@main
-      
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -29,7 +33,7 @@ jobs:
       - name: License Header Check
         run: |
           license-eye header check -c .github/.licenserc.yaml
-      
+
       - name: License Dependency Check
         run: |
           license-eye dependency check -c .github/.licenserc.yaml
diff --git a/.github/workflows/pr-sync.yaml b/.github/workflows/pr-sync.yaml
index 1fabede3b..447db6ef8 100644
--- a/.github/workflows/pr-sync.yaml
+++ b/.github/workflows/pr-sync.yaml
@@ -4,6 +4,10 @@ on:
   pull_request_target:
     types: ['opened', 'reopened', 'closed']
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   sync:
     name: Send Lark Message
diff --git a/.github/workflows/semantic-pull-request.yaml b/.github/workflows/semantic-pull-request.yaml
index e167a2ca7..61bd1c674 100644
--- a/.github/workflows/semantic-pull-request.yaml
+++ b/.github/workflows/semantic-pull-request.yaml
@@ -11,6 +11,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   main:
     name: Check Pull Request Title