diff --git a/.github/workflows/conda-package.yml b/.github/workflows/conda-package.yml
index 6d04a43ce6..c224a6ef05 100644
--- a/.github/workflows/conda-package.yml
+++ b/.github/workflows/conda-package.yml
@@ -6,6 +6,8 @@ on:
       - master
   pull_request:
 
+permissions: read-all
+
 env:
   PACKAGE_NAME: dpctl
   MODULE_NAME: dpctl
@@ -539,6 +541,8 @@ jobs:
   array-api-conformity:
     needs: build_linux
     runs-on:  ${{ matrix.runner }}
+    permissions:
+      pull-requests: write
 
     strategy:
       matrix:
diff --git a/.github/workflows/cpp_style_checks.yml b/.github/workflows/cpp_style_checks.yml
index a450bff627..f293788fe0 100644
--- a/.github/workflows/cpp_style_checks.yml
+++ b/.github/workflows/cpp_style_checks.yml
@@ -9,6 +9,8 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   formatting-check:
     name: clang-format
diff --git a/.github/workflows/generate-coverage.yaml b/.github/workflows/generate-coverage.yaml
index edf03bc8f6..d57a6794fa 100644
--- a/.github/workflows/generate-coverage.yaml
+++ b/.github/workflows/generate-coverage.yaml
@@ -4,10 +4,14 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   generate-coverage:
     name: Generate coverage and push to Coveralls.io
     runs-on: ubuntu-20.04
+    permissions:
+      pull-requests: write
 
     env:
       ONEAPI_ROOT: /opt/intel/oneapi
diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
index 84bbed4622..74c0ee53aa 100644
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@@ -6,10 +6,15 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, closed]
 
+permissions: read-all
+
 jobs:
   build-and-deploy:
     name: Build and Deploy Documentation
     runs-on: ubuntu-20.04
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Cancel Previous Runs
         uses: styfle/cancel-workflow-action@0.11.0
diff --git a/.github/workflows/os-llvm-sycl-build.yml b/.github/workflows/os-llvm-sycl-build.yml
index 3731a3fb77..dbabc79aff 100644
--- a/.github/workflows/os-llvm-sycl-build.yml
+++ b/.github/workflows/os-llvm-sycl-build.yml
@@ -4,6 +4,8 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   install-compiler:
     name: Build with nightly build of DPC++ toolchain
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index f7d799463d..1461985e90 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -5,6 +5,8 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   pre-commit:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/python_style_checks.yml b/.github/workflows/python_style_checks.yml
index 3afd5acbd9..6b0bbca5e1 100644
--- a/.github/workflows/python_style_checks.yml
+++ b/.github/workflows/python_style_checks.yml
@@ -9,6 +9,8 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # The isort job sorts all imports in .py, .pyx, .pxd files