diff --git a/.github/workflows/build_container.yml b/.github/workflows/build_container.yml
index b7acb43..4a48bb2 100644
--- a/.github/workflows/build_container.yml
+++ b/.github/workflows/build_container.yml
@@ -1,3 +1,4 @@
+---
 name: Build and publish a 🛢️ container
 
 on:
@@ -8,6 +9,9 @@ on:
       - '*'
   workflow_dispatch:
 
+permissions:
+  contents: read # minimal required permissions to clone repo
+
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 05d3110..80b8040 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -7,6 +7,9 @@ on:
       - 'main'
   workflow_dispatch:
 
+permissions:
+  contents: read # minimal required permissions to clone repo
+
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 98d6ee1..e16f1b0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: read # minimal required permissions to clone repo
+
 jobs:
   release:
     name: Release
diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml
index f0ac766..9a286c6 100644
--- a/.github/workflows/security_scanning.yml
+++ b/.github/workflows/security_scanning.yml
@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read # minimal required permissions to clone repo
+
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest