diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 887bf6fb..03a5c8a2 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -31,6 +31,9 @@ on:
     - cron: '0 0 * * 0' # Weekly on Sunday at midnight UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ff6841db..baa6d266 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -70,6 +70,9 @@ on:
         default: true
         type: boolean
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 00a29e16..b5b30571 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -59,6 +59,9 @@ on:
     - cron: "0 0 * * 0" # Weekly on Sunday at midnight UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
diff --git a/.github/workflows/issue-translator.yml b/.github/workflows/issue-translator.yml
index 176d00a0..8a04b223 100644
--- a/.github/workflows/issue-translator.yml
+++ b/.github/workflows/issue-translator.yml
@@ -15,9 +15,12 @@
 name: "issue-translator"
 on:
   issue_comment:
-    types: [created]
+    types: [ created ]
   issues:
-    types: [opened]
+    types: [ opened ]
+
+  contents: read
+  issues: write
 
 jobs:
   build:
diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
index c8b9c6f4..52274035 100644
--- a/.github/workflows/performance.yml
+++ b/.github/workflows/performance.yml
@@ -30,6 +30,9 @@ on:
         default: "120"
         type: string
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1