diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0347bc5336..16edb74efb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,6 +23,8 @@ on:
       - main
   workflow_dispatch:
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref_name }}-${{ github.event.number || github.sha }}
   cancel-in-progress: true
diff --git a/.github/workflows/pr-checklist.yml b/.github/workflows/pr-checklist.yml
index d81fc88eb7..49078370a7 100644
--- a/.github/workflows/pr-checklist.yml
+++ b/.github/workflows/pr-checklist.yml
@@ -20,8 +20,7 @@ on:
   pull_request:
     types: [opened, edited, synchronize, ready_for_review, converted_to_draft]
 
-permissions:
-  contents: read
+permissions: read-all
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref_name }}-${{ github.event.number || github.sha }}
diff --git a/.github/workflows/renovate-validation.yml b/.github/workflows/renovate-validation.yml
index 85dd8f620c..0a4d12fb94 100644
--- a/.github/workflows/renovate-validation.yml
+++ b/.github/workflows/renovate-validation.yml
@@ -14,8 +14,7 @@ on:
       - .github/workflows/renovate-validation.yml
       - .github/renovate.json
 
-permissions:
-  contents: read
+permissions: read-all
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref_name }}-${{ github.event.number || github.sha }}