diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 5c5f22ff..0981e4d7 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -6,7 +6,7 @@ on:
     branches: [develop]
 
 # Declare default permissions as write only.
-permissions: write-all
+permissions: read-all
 
 # If another push to the same PR or branch happens while this workflow is still running,
 # cancel the earlier run in favor of the next run.
@@ -53,6 +53,8 @@ jobs:
     secrets: inherit
 
   Update:
+    permissions:
+        contents: write
     # name: Lint & Update Reports
     needs: [Testing, Results]
     if: ${{ always() }} 
diff --git a/.github/workflows/_CI_coverage_compare.yml b/.github/workflows/_CI_coverage_compare.yml
index e7ecb5d5..aa98e070 100644
--- a/.github/workflows/_CI_coverage_compare.yml
+++ b/.github/workflows/_CI_coverage_compare.yml
@@ -20,10 +20,12 @@ on:
         description: "The Python Coverage for source"
         type: string
 
-permissions: write-all
+permissions: read-all
 
 jobs:
     compare_coverage:
+      permissions:
+        contents: write
       name: Compare Reported Coverage
       runs-on: ubuntu-latest
       steps:
diff --git a/.github/workflows/_CI_update.yml b/.github/workflows/_CI_update.yml
index 5f67cd4d..73c6f6dd 100644
--- a/.github/workflows/_CI_update.yml
+++ b/.github/workflows/_CI_update.yml
@@ -12,10 +12,12 @@ on:
           description: "Status of coverage tests (passed/failed)"
           type: string
 
-permissions: write-all
+permissions: read-all
 
 jobs:
     commit_job:
+        permissions:
+          contents: write
         name: Commit Code Updates 
         env:
           COMMIT_MSG: "Automated updates: Format and/or coverage"
@@ -83,4 +85,4 @@ jobs:
               if [ "${{ env.FILE_CHANGES }}" != "Empty" ]; then
                 echo "Please provide sys-vdms write access to fork (if applicable)."
                 exit 1
-              fi
\ No newline at end of file
+              fi