diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
index 8d1c33b0..5f9b60ed 100644
--- a/.github/workflows/container-image.yml
+++ b/.github/workflows/container-image.yml
@@ -1,5 +1,8 @@
 name: Build container image
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml
index 59fe6bec..b331fe0f 100644
--- a/.github/workflows/helm-chart-release.yml
+++ b/.github/workflows/helm-chart-release.yml
@@ -4,6 +4,9 @@
 # of the `charts` directory.
 name: Release helm chart
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/installer-build.yml b/.github/workflows/installer-build.yml
index cb42968d..3f00cd9f 100644
--- a/.github/workflows/installer-build.yml
+++ b/.github/workflows/installer-build.yml
@@ -1,5 +1,8 @@
 name: Build installer image, sign it, and generate SBOMs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     outputs:
diff --git a/.github/workflows/manager-build.yml b/.github/workflows/manager-build.yml
index f49ded06..7aafbabe 100644
--- a/.github/workflows/manager-build.yml
+++ b/.github/workflows/manager-build.yml
@@ -1,5 +1,8 @@
 name: Build manager image, sign it, and generate SBOMs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     outputs:
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index d20ebfc1..596abd7f 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -1,5 +1,8 @@
 name: Generate SBOMs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/sign-image.yml b/.github/workflows/sign-image.yml
index e3618e44..b82f8b44 100644
--- a/.github/workflows/sign-image.yml
+++ b/.github/workflows/sign-image.yml
@@ -1,5 +1,8 @@
 name: Sign image
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs: