diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e49199b..359e383 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,13 +23,18 @@ on:
   schedule:
     - cron: '31 2 * * 5'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
     runs-on: windows-latest
     timeout-minutes: 360
     permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
       packages: read
 
     strategy:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index a89cc74..6dfc3f9 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -21,6 +21,9 @@ on:
       - build/*.targets
       - build/*.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fb559d2..86fbf51 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,6 +21,9 @@ on:
       - build/*.targets
       - build/*.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/vcpkg.yml b/.github/workflows/vcpkg.yml
index 025e65f..a3c27fe 100644
--- a/.github/workflows/vcpkg.yml
+++ b/.github/workflows/vcpkg.yml
@@ -15,6 +15,9 @@ on:
       - LICENSE
       - build/*
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}