diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 67548291e..aec5dcd56 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
 
   kind-linux-amd64:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 0d60165a2..db0397b52 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -7,6 +7,9 @@ on:
 env:
   REPOSITORY: ${{ github.repository }}
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index fd0fbae9b..4bdcc0c97 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: '18 10 * * 3'
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for codeQL to write security events
+
 jobs:
   fossa:
     name: FOSSA