diff --git a/.github/workflows/crowdin_download.yml b/.github/workflows/crowdin_download.yml
index f7bbc7362..04897ac2b 100644
--- a/.github/workflows/crowdin_download.yml
+++ b/.github/workflows/crowdin_download.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - 'release/**'
 
+permissions:
+  contents: read
+
 jobs:
   install-dependencies:
     uses: ./.github/workflows/dependencies.yml
diff --git a/.github/workflows/crowdin_upload.yml b/.github/workflows/crowdin_upload.yml
index 3def89ea8..3eadde5e4 100644
--- a/.github/workflows/crowdin_upload.yml
+++ b/.github/workflows/crowdin_upload.yml
@@ -6,6 +6,9 @@ on:
     branches: 
       - main
 
+permissions:
+  contents: read
+
 jobs:
   install-dependencies:
     uses: ./.github/workflows/dependencies.yml
diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
index 6cdf23f6e..21b8efb48 100644
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@@ -14,6 +14,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   front-dependencies-installation:
     if: ${{ inputs.with-front-dependencies-installation == true }}
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 00a299e5e..5a9cf005c 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -37,6 +37,9 @@ description: Build and push a container image based on the input arguments provi
         default: ""
         description: "Build arg name to pass first amd64 tag to arm64 build (skips arch-independent build steps)"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
index b0bb2a92b..c6796f6a3 100644
--- a/.github/workflows/ghcr.yml
+++ b/.github/workflows/ghcr.yml
@@ -13,6 +13,9 @@ env:
   DOCKER_USER: 1001:127
   REGISTRY: ghcr.io
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push-backend:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/impress-frontend.yml b/.github/workflows/impress-frontend.yml
index 61b3f180e..e12f9b585 100644
--- a/.github/workflows/impress-frontend.yml
+++ b/.github/workflows/impress-frontend.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - "*"
 
+permissions:
+  contents: read
+
 jobs:
 
   install-dependencies:
diff --git a/.github/workflows/impress.yml b/.github/workflows/impress.yml
index 6e0d23bf0..cd7dc2929 100644
--- a/.github/workflows/impress.yml
+++ b/.github/workflows/impress.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - "*"
 
+permissions:
+  contents: read
+
 jobs:
   install-dependencies:
     uses: ./.github/workflows/dependencies.yml