diff --git a/.github/workflows/.deploy.yml b/.github/workflows/.deploy.yml
index e66a9bb..7e7f51e 100644
--- a/.github/workflows/.deploy.yml
+++ b/.github/workflows/.deploy.yml
@@ -50,11 +50,15 @@ on:
         required: false
         type: string
 
+permissions: {}
+
 jobs:
   deploys:
     name: Helm
     environment: ${{ inputs.environment }}
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     timeout-minutes: ${{ inputs.timeout-minutes }}
     steps:
       - uses: actions/checkout@v6
diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml
index 01e7781..47a63da 100644
--- a/.github/workflows/.tests.yml
+++ b/.github/workflows/.tests.yml
@@ -9,10 +9,14 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   cypress-e2e:
     name: Cypress E2E
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       matrix:
         browser: [chrome]
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
index 0238d15..c6772ca 100644
--- a/.github/workflows/analysis.yml
+++ b/.github/workflows/analysis.yml
@@ -14,12 +14,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   # https://github.com/marketplace/actions/aqua-security-trivy
   trivy:
     name: Trivy Security Scan
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@v6
 
diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml
index 0ca0dec..fd46c0f 100644
--- a/.github/workflows/merge.yml
+++ b/.github/workflows/merge.yml
@@ -10,6 +10,8 @@ concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   semantic-version:
     outputs:
@@ -18,6 +20,8 @@ jobs:
       clean_changelog: ${{ steps.changelog.outputs.clean_changelog }}
     runs-on: ubuntu-24.04
     timeout-minutes: 1
+    permissions:
+      contents: write  # write implies read; needed for git-push and checkout
     steps:
       - uses: actions/checkout@v6
       - name: Conventional Changelog Update
@@ -34,6 +38,8 @@ jobs:
   retag-images:
     needs: [semantic-version]
     runs-on: ubuntu-24.04
+    permissions:
+      packages: write
     strategy:
       matrix:
         package: [api, database, frontend]
@@ -47,10 +53,11 @@ jobs:
           tags: |
             ${{ needs.semantic-version.outputs.semanticVersion }}
             ${{ needs.semantic-version.outputs.tag }}
-
   deploys:
     name: TEST Deployments
     needs: [retag-images, semantic-version]
+    permissions:
+      contents: read
     uses: ./.github/workflows/.deploy.yml
     secrets: inherit
     with:
@@ -62,6 +69,8 @@ jobs:
   tests:
     name: Tests
     needs: [deploys]
+    permissions:
+      contents: read
     uses: ./.github/workflows/.tests.yml
     with:
       target: test
@@ -69,6 +78,8 @@ jobs:
   deploys-prod:
     name: PROD Deployments
     needs: [semantic-version, tests]
+    permissions:
+      contents: read
     uses: ./.github/workflows/.deploy.yml
     secrets: inherit
     with:
@@ -81,6 +92,8 @@ jobs:
     name: Create Release
     needs: [semantic-version, deploys-prod]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
       - name: Create Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml
index 62b5b23..f4c40da 100644
--- a/.github/workflows/pr-close.yml
+++ b/.github/workflows/pr-close.yml
@@ -9,6 +9,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   cleanup:
     name: Cleanup and Image Promotion
diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
index 618495c..95e2e3a 100644
--- a/.github/workflows/pr-open.yml
+++ b/.github/workflows/pr-open.yml
@@ -9,6 +9,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   pr-greeting:
     name: PR Greeting
@@ -39,6 +41,7 @@ jobs:
     name: Builds
     runs-on: ubuntu-24.04
     permissions:
+      contents: read
       attestations: write
       id-token: write
       packages: write
@@ -64,6 +67,8 @@ jobs:
   deploys:
     name: Deploys
     needs: [builds]
+    permissions:
+      contents: read
     uses: ./.github/workflows/.deploy.yml
     secrets: inherit
     with:
@@ -90,6 +95,8 @@ jobs:
   tests:
     name: Tests
     needs: [deploys]
+    permissions:
+      contents: read
     uses: ./.github/workflows/.tests.yml
     with:
       target: ${{ github.event.number }}
diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml
index c4f9233..adf2f60 100644
--- a/.github/workflows/scheduled.yml
+++ b/.github/workflows/scheduled.yml
@@ -13,10 +13,14 @@ concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   pubcode-crawler:
     name: Crawl Git Repos for bcgovpubcode.yml
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     environment: prod
     defaults:
       run:
@@ -59,6 +63,9 @@ jobs:
   validate-ministry-list:
     name: Validate Ministry List in the pubcode schema.
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
     defaults:
       run:
         working-directory: schema/script
@@ -101,6 +108,8 @@ jobs:
   soft-delete-removed-pubcodes:
     name: Soft Delete pubcodes In the Databse which are removed from the repo.
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: utilities/remove-deleted-pubcode