diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d717c8d25..6f74b063d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
   push:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test:
     strategy:
diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml
index 7caea8278..0ab49c9b3 100644
--- a/.github/workflows/dependency-graph.yml
+++ b/.github/workflows/dependency-graph.yml
@@ -3,8 +3,12 @@ name: Submit Dependency Graph
 on:
   push:
     branches: [1.7.x] # default branch of the project
+permissions: {}
 jobs:
   submit-graph:
+    permissions:
+      contents: write # to submit the dependency graph
+
     name: Submit Dependency Graph
     runs-on: ubuntu-latest # or windows-latest, or macOS-latest
     steps:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 2897d641f..b7664a12f 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -5,6 +5,9 @@ on:
 #    # 08:00 UTC = 03:00 EST
 #    - cron:  '0 8 * * *'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   deploy:
     strategy: