diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 281619480db..590953a441b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/make-docs.yml b/.github/workflows/make-docs.yml
index 26de09e8d58..74b709ea11a 100644
--- a/.github/workflows/make-docs.yml
+++ b/.github/workflows/make-docs.yml
@@ -16,6 +16,9 @@ on:
 env:
   ARTIFACTS_DIR: /tmp/artifacts
 
+permissions:
+  contents: write
+
 jobs:
   build-docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
index aebc963cd21..5190235ce2f 100644
--- a/.github/workflows/post-release.yml
+++ b/.github/workflows/post-release.yml
@@ -15,6 +15,9 @@ on:
 env:
   version: ${{ github.event.inputs.version || github.ref_name }}
 
+permissions:
+  contents: read
+
 jobs:
   homebrew-tap:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sdk-codegen-ci.yml b/.github/workflows/sdk-codegen-ci.yml
index e93f841b14e..d11823f16a2 100644
--- a/.github/workflows/sdk-codegen-ci.yml
+++ b/.github/workflows/sdk-codegen-ci.yml
@@ -3,6 +3,9 @@ name: sdk-codegen-ci
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build-aws-sdk-js-v3:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml
index fad299a334b..70ce1288a76 100644
--- a/.github/workflows/stale-issues.yml
+++ b/.github/workflows/stale-issues.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  issues: write
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-gradle-plugin.yml b/.github/workflows/update-gradle-plugin.yml
index 80c206fb9b8..1b2489af29c 100644
--- a/.github/workflows/update-gradle-plugin.yml
+++ b/.github/workflows/update-gradle-plugin.yml
@@ -6,6 +6,10 @@ on:
     # Runs every wednesday at 11
     - cron:  '0 11 * * WED'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   get-version:
     runs-on: ubuntu-latest