diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
index 795237f7ba..f1abe39f91 100644
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   # Pre-commit checks
   pre-commit:
diff --git a/.github/workflows/ci-pull-request.yml b/.github/workflows/ci-pull-request.yml
index e179403401..80ae959f06 100644
--- a/.github/workflows/ci-pull-request.yml
+++ b/.github/workflows/ci-pull-request.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-pr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   # Fast pre-commit checks (runs first)
   pre-commit:
diff --git a/.github/workflows/docker-build-arm.yml b/.github/workflows/docker-build-arm.yml
index 5cf05fd587..fde9dff648 100644
--- a/.github/workflows/docker-build-arm.yml
+++ b/.github/workflows/docker-build-arm.yml
@@ -4,6 +4,9 @@ on:
   # Manual-only: arm64 builds run in scheduled nightly workflow.
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: linux-large-disk
diff --git a/.github/workflows/integration-test-library-mode.yml b/.github/workflows/integration-test-library-mode.yml
index cff1055669..840aa89968 100644
--- a/.github/workflows/integration-test-library-mode.yml
+++ b/.github/workflows/integration-test-library-mode.yml
@@ -16,6 +16,9 @@ on:
         type: string
         default: ''
 
+permissions:
+  contents: read
+
 jobs:
   integration-test:
     name: Integration Tests (${{ matrix.os-label }})
diff --git a/.github/workflows/retriever-unit-tests.yml b/.github/workflows/retriever-unit-tests.yml
index 87474405a3..05d066f842 100644
--- a/.github/workflows/retriever-unit-tests.yml
+++ b/.github/workflows/retriever-unit-tests.yml
@@ -8,6 +8,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   retriever-unit-tests:
     name: Run Retriever Unit Tests
diff --git a/.github/workflows/scheduled-nightly.yml b/.github/workflows/scheduled-nightly.yml
index 6f2bed65e4..eb48448781 100644
--- a/.github/workflows/scheduled-nightly.yml
+++ b/.github/workflows/scheduled-nightly.yml
@@ -17,6 +17,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   # Generate version for all nightly builds
   determine-version: