diff --git a/.github/workflows/actions-versions-updater.yml b/.github/workflows/actions-versions-updater.yml
index bb05b24e..91a64cf5 100644
--- a/.github/workflows/actions-versions-updater.yml
+++ b/.github/workflows/actions-versions-updater.yml
@@ -6,19 +6,27 @@ on:
     - cron:  '0 0 1 * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v4.1.1
         with:
           # This requires a personal access token with the privileges to push directly to `main`
-          token: ${{ secrets.WORKFLOW_TOKEN }}
+          token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }}
           persist-credentials: true
+
       - name: Run GitHub Actions Version Updater
         uses: saadmk11/github-actions-version-updater@v0.8.1
         with:
-          token: ${{ secrets.WORKFLOW_TOKEN }}
+          token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }}
           committer_email: 'bumpversion[bot]@ouranos.ca'
           committer_username: 'update-github-actions[bot]'
           pull_request_title: '[bot] Update GitHub Action Versions'
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
index 38fbaad9..5b5f67e2 100644
--- a/.github/workflows/bump-version.yml
+++ b/.github/workflows/bump-version.yml
@@ -28,9 +28,15 @@ on:
       - xhydro/__init__.py
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   bump_patch_version:
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -54,5 +60,5 @@ jobs:
         uses: ad-m/github-push-action@master
         with:
           force: false
-          github_token: ${{ secrets.BUMPVERSION_TOKEN }}
+          github_token: ${{ secrets.BUMP_VERSION_TOKEN }}
           branch: ${{ github.ref }}
diff --git a/.github/workflows/first_pull_request.yml b/.github/workflows/first_pull_request.yml
index adc51fe0..1450d3c3 100644
--- a/.github/workflows/first_pull_request.yml
+++ b/.github/workflows/first_pull_request.yml
@@ -5,10 +5,16 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   welcome:
     name: Welcome
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/github-script@v6
         with:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index dbf1616a..d9a0ac2c 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -12,6 +12,10 @@ on:
       - xhydro/__init__.py
   pull_request:
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   lint:
     name: Lint (Python${{ matrix.python-version }})
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 04e42d9d..a991ece7 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -5,6 +5,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish-pypi:
     name: Build and publish Python 🐍 distributions 📦 to PyPI
diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml
index 54eb2cbe..45e68bcb 100644
--- a/.github/workflows/tag-testpypi.yml
+++ b/.github/workflows/tag-testpypi.yml
@@ -5,11 +5,16 @@ on:
     tags:
       - 'v*.*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Create Release from tag
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v') && endsWith(github.ref, '.0')
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4