diff --git a/.github/workflows/code-style-checks.yml b/.github/workflows/code-style-checks.yml
index 616add9d8fb3..fa80e316a7fd 100644
--- a/.github/workflows/code-style-checks.yml
+++ b/.github/workflows/code-style-checks.yml
@@ -38,6 +38,9 @@ concurrency:
   group: code-style-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   code-style:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/gpu-hvd-tests.yml b/.github/workflows/gpu-hvd-tests.yml
index bdab69a5be3f..eb92dfe15fca 100644
--- a/.github/workflows/gpu-hvd-tests.yml
+++ b/.github/workflows/gpu-hvd-tests.yml
@@ -17,6 +17,9 @@ concurrency:
 
 # Cherry-picked from https://github.com/pytorch/test-infra/blob/main/.github/workflows/linux_job.yml
 
+permissions:
+  contents: read
+
 jobs:
   gpu-hvd-tests:
     strategy:
diff --git a/.github/workflows/gpu-tests.yml b/.github/workflows/gpu-tests.yml
index 228ac28814a1..9ee03a1ad8df 100644
--- a/.github/workflows/gpu-tests.yml
+++ b/.github/workflows/gpu-tests.yml
@@ -17,6 +17,9 @@ concurrency:
 
 # Cherry-picked from https://github.com/pytorch/test-infra/blob/main/.github/workflows/linux_job_v2.yml
 
+permissions:
+  contents: read
+
 jobs:
   gpu-tests:
     strategy:
diff --git a/.github/workflows/hvd-tests.yml b/.github/workflows/hvd-tests.yml
index 9fdc9092f0a5..ac26a59a89a7 100644
--- a/.github/workflows/hvd-tests.yml
+++ b/.github/workflows/hvd-tests.yml
@@ -23,6 +23,9 @@ concurrency:
   group: hvd-tests-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   horovod-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mps-tests.yml b/.github/workflows/mps-tests.yml
index 7cc0317e5173..024bece12485 100644
--- a/.github/workflows/mps-tests.yml
+++ b/.github/workflows/mps-tests.yml
@@ -29,6 +29,9 @@ concurrency:
 # - https://github.com/pytorch/vision/blob/main/.github/workflows/tests.yml
 # - https://github.com/pytorch/test-infra/blob/main/.github/workflows/macos_job.yml
 
+permissions:
+  contents: read
+
 jobs:
   mps-tests:
     strategy:
diff --git a/.github/workflows/tpu-tests.yml b/.github/workflows/tpu-tests.yml
index e22a71693860..84f97bc122ea 100644
--- a/.github/workflows/tpu-tests.yml
+++ b/.github/workflows/tpu-tests.yml
@@ -24,6 +24,9 @@ concurrency:
   group: tpu-tests-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   tpu-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/typing-checks.yml b/.github/workflows/typing-checks.yml
index ad14c286d35d..ab15123281ce 100644
--- a/.github/workflows/typing-checks.yml
+++ b/.github/workflows/typing-checks.yml
@@ -30,6 +30,9 @@ concurrency:
   group: typing-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   pyrefly:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index bd581a88eb84..d1ee2a9fe982 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -31,6 +31,9 @@ concurrency:
   group: unit-tests-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   cpu-tests:
     runs-on: ${{ matrix.os }}