diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b084cd855..6d27f75c4 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -11,6 +11,9 @@ on:
 env:
   GO_VERSION: 1.18.3
   K8S_VERSION: 1.24.2
+permissions:
+  contents: read
+
 jobs:
 
   docs:
@@ -37,6 +40,9 @@ jobs:
         mv _build/html/* $HOME/output/
 
   golangci:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: lint
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/e2e-dlb.yml b/.github/workflows/e2e-dlb.yml
index 5be137c72..0ceb6db6b 100644
--- a/.github/workflows/e2e-dlb.yml
+++ b/.github/workflows/e2e-dlb.yml
@@ -11,6 +11,9 @@ on:
 env:
   IMAGES: 'intel-dlb-plugin dlb-libdlb-demo'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-dlb:
     name: e2e-dlb
diff --git a/.github/workflows/e2e-dsa.yml b/.github/workflows/e2e-dsa.yml
index 64ee10097..45051fae9 100644
--- a/.github/workflows/e2e-dsa.yml
+++ b/.github/workflows/e2e-dsa.yml
@@ -11,6 +11,9 @@ on:
 env:
   IMAGES: 'intel-dsa-plugin intel-idxd-config-initcontainer accel-config-demo'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-dsa:
     name: e2e-dsa
diff --git a/.github/workflows/e2e-fpga.yml b/.github/workflows/e2e-fpga.yml
index dbd3868a3..f36b735e2 100644
--- a/.github/workflows/e2e-fpga.yml
+++ b/.github/workflows/e2e-fpga.yml
@@ -11,6 +11,9 @@ on:
 env:
   IMAGES: 'intel-fpga-plugin intel-fpga-initcontainer intel-fpga-admissionwebhook opae-nlb-demo'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-fpga:
     name: e2e-fpga
diff --git a/.github/workflows/e2e-gpu.yml b/.github/workflows/e2e-gpu.yml
index 084ade19d..aa35500d7 100644
--- a/.github/workflows/e2e-gpu.yml
+++ b/.github/workflows/e2e-gpu.yml
@@ -11,6 +11,9 @@ on:
 env:
   IMAGES: 'intel-gpu-plugin intel-gpu-initcontainer'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-gpu:
     name: e2e-gpu
diff --git a/.github/workflows/e2e-iaa.yml b/.github/workflows/e2e-iaa.yml
index f50440c0c..ac59d053a 100644
--- a/.github/workflows/e2e-iaa.yml
+++ b/.github/workflows/e2e-iaa.yml
@@ -11,6 +11,9 @@ on:
 env:
   IMAGES: 'intel-iaa-plugin intel-idxd-config-initcontainer accel-config-demo'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-iaa:
     name: e2e-iaa
diff --git a/.github/workflows/e2e-qat.yml b/.github/workflows/e2e-qat.yml
index 7ceab3b13..4dc0b7d07 100644
--- a/.github/workflows/e2e-qat.yml
+++ b/.github/workflows/e2e-qat.yml
@@ -11,6 +11,9 @@ on:
 env:
   IMAGES: 'intel-qat-plugin intel-qat-initcontainer crypto-perf'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-qat:
     name: e2e-qat
diff --git a/.github/workflows/e2e-sgx.yml b/.github/workflows/e2e-sgx.yml
index 0dcca0cdc..b5cc6eabe 100644
--- a/.github/workflows/e2e-sgx.yml
+++ b/.github/workflows/e2e-sgx.yml
@@ -11,6 +11,9 @@ on:
 env:
   IMAGES: 'intel-sgx-plugin intel-sgx-initcontainer intel-sgx-admissionwebhook'
 
+permissions:
+  contents: read
+
 jobs:
   e2e-sgx:
     name: e2e-sgx
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a264b03fa..29aad34a6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,9 +8,14 @@ on:
         - release-0.23
         - release-0.24
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
 
     steps: