diff --git a/.github/workflows/linux_auto_assign_author.yaml b/.github/workflows/linux_auto_assign_author.yaml
index 7f5765c9..3e380b32 100644
--- a/.github/workflows/linux_auto_assign_author.yaml
+++ b/.github/workflows/linux_auto_assign_author.yaml
@@ -1,5 +1,6 @@
 # Automatically assigns the author who created the PR to the Assignees in GitHub.
 name: PR Author Assign
+permissions: read-all
 
 on:
   pull_request_target:
@@ -14,4 +15,4 @@ jobs:
     steps:
       - uses: toshimaru/auto-author-assign@v1.6.2
         with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
\ No newline at end of file
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/linux_clang_format_check.yaml b/.github/workflows/linux_clang_format_check.yaml
index 0e942a1d..b55e37da 100644
--- a/.github/workflows/linux_clang_format_check.yaml
+++ b/.github/workflows/linux_clang_format_check.yaml
@@ -1,4 +1,5 @@
 name: "Clang format check"
+permissions: read-all
 
 on:
   push:
diff --git a/.github/workflows/linux_publish_api_docs.yaml b/.github/workflows/linux_publish_api_docs.yaml
index 18465d61..4226ae74 100644
--- a/.github/workflows/linux_publish_api_docs.yaml
+++ b/.github/workflows/linux_publish_api_docs.yaml
@@ -1,4 +1,5 @@
 name: "Build and Publish API Documentation"
+permissions: read-all
 
 on:
   push:
diff --git a/.github/workflows/win_auto_roll.yaml b/.github/workflows/win_auto_roll.yaml
index f6cedd3b..32c9d34b 100644
--- a/.github/workflows/win_auto_roll.yaml
+++ b/.github/workflows/win_auto_roll.yaml
@@ -4,6 +4,7 @@
 # once the integration tests become green.
 # Any new dependencies in .\DEPS should also be added here.
 name: 'Auto Roll DEPS'
+permissions: read-all
 
 on:
   workflow_dispatch:
diff --git a/.github/workflows/win_x64_cmake_msvc_dbg.yaml b/.github/workflows/win_x64_cmake_msvc_dbg.yaml
index 78bdbdf2..5f5cca1c 100644
--- a/.github/workflows/win_x64_cmake_msvc_dbg.yaml
+++ b/.github/workflows/win_x64_cmake_msvc_dbg.yaml
@@ -1,4 +1,5 @@
 name: Windows x64 CMake/MSVC (Debug)
+permissions: read-all
 
 on:
   # This is a required workflow specified in branch enforcement
diff --git a/.github/workflows/win_x64_cmake_msvc_rel.yaml b/.github/workflows/win_x64_cmake_msvc_rel.yaml
index dcae1d3f..de284b96 100644
--- a/.github/workflows/win_x64_cmake_msvc_rel.yaml
+++ b/.github/workflows/win_x64_cmake_msvc_rel.yaml
@@ -1,4 +1,5 @@
 name: Windows x64 CMake/MSVC (Release)
+permissions: read-all
 
 on:
   # This is a required workflow specified in branch enforcement
diff --git a/.github/workflows/win_x64_gn_clang_dbg.yaml b/.github/workflows/win_x64_gn_clang_dbg.yaml
index 89c1ce50..117585c0 100644
--- a/.github/workflows/win_x64_gn_clang_dbg.yaml
+++ b/.github/workflows/win_x64_gn_clang_dbg.yaml
@@ -1,4 +1,5 @@
 name: Windows x64 GN/Clang (Debug)
+permissions: read-all
 
 on:
   # This is a required workflow specified in branch enforcement
diff --git a/.github/workflows/win_x64_gn_clang_dbg_dawn.yaml b/.github/workflows/win_x64_gn_clang_dbg_dawn.yaml
index af443e46..ba99e03e 100644
--- a/.github/workflows/win_x64_gn_clang_dbg_dawn.yaml
+++ b/.github/workflows/win_x64_gn_clang_dbg_dawn.yaml
@@ -1,4 +1,5 @@
 name: Windows x64 GN/Clang WebGPU/Dawn (Debug)
+permissions: read-all
 
 on:
   workflow_dispatch:
diff --git a/.github/workflows/win_x64_gn_clang_rel.yaml b/.github/workflows/win_x64_gn_clang_rel.yaml
index 127dbc50..aae65a16 100644
--- a/.github/workflows/win_x64_gn_clang_rel.yaml
+++ b/.github/workflows/win_x64_gn_clang_rel.yaml
@@ -1,4 +1,5 @@
 name: Windows x64 GN/Clang (Release)
+permissions: read-all
 
 on:
   # This is a required workflow specified in branch enforcement
diff --git a/.github/workflows/win_x64_gn_clang_rel_dawn.yaml b/.github/workflows/win_x64_gn_clang_rel_dawn.yaml
index ea539615..68b2ba0b 100644
--- a/.github/workflows/win_x64_gn_clang_rel_dawn.yaml
+++ b/.github/workflows/win_x64_gn_clang_rel_dawn.yaml
@@ -1,4 +1,5 @@
 name: Windows x64 GN/Clang WebGPU/Dawn (Release)
+permissions: read-all
 
 on:
   push:
diff --git a/.github/workflows/win_x64_gn_msvc_dbg.yaml b/.github/workflows/win_x64_gn_msvc_dbg.yaml
index 874ac064..fdc3e25b 100644
--- a/.github/workflows/win_x64_gn_msvc_dbg.yaml
+++ b/.github/workflows/win_x64_gn_msvc_dbg.yaml
@@ -1,4 +1,5 @@
 name: Windows x64 GN/MSVC (Debug)
+permissions: read-all
 
 on:
   # This is a required workflow specified in branch enforcement
diff --git a/.github/workflows/win_x64_gn_msvc_rel.yaml b/.github/workflows/win_x64_gn_msvc_rel.yaml
index 496c4d0a..56507d8b 100644
--- a/.github/workflows/win_x64_gn_msvc_rel.yaml
+++ b/.github/workflows/win_x64_gn_msvc_rel.yaml
@@ -1,4 +1,5 @@
 name: Windows x64 GN/MSVC (Release)
+permissions: read-all
 
 on:
   # This is a required workflow specified in branch enforcement
diff --git a/.github/workflows/win_x86_gn_clang_dbg.yaml b/.github/workflows/win_x86_gn_clang_dbg.yaml
index 94e7f998..a016c7f6 100644
--- a/.github/workflows/win_x86_gn_clang_dbg.yaml
+++ b/.github/workflows/win_x86_gn_clang_dbg.yaml
@@ -1,4 +1,5 @@
 name: Windows x86 GN/Clang (Debug)
+permissions: read-all
 
 on:
   # This is a required workflow specified in branch enforcement
diff --git a/.github/workflows/win_x86_gn_clang_rel.yaml b/.github/workflows/win_x86_gn_clang_rel.yaml
index dec8d76d..a755dace 100644
--- a/.github/workflows/win_x86_gn_clang_rel.yaml
+++ b/.github/workflows/win_x86_gn_clang_rel.yaml
@@ -1,4 +1,5 @@
 name: Windows x86 GN/Clang (Release)
+permissions: read-all
 
 on:
   # This is a required workflow specified in branch enforcement