diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 94fed5cb9c6..a4dccf0ca6b 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -35,11 +35,13 @@ on:
       
 permissions:
   contents: read
-  statuses: write
-  security-events: write
 
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     name: Analyze
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 443b3d93fca..d74eed027f5 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+permissions:
+  contents: read
+
 name: docker-build
 on: 
  push:
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
index 22353936dea..554d2e4ca47 100644
--- a/.github/workflows/goreleaser.yaml
+++ b/.github/workflows/goreleaser.yaml
@@ -19,11 +19,14 @@ on:
     tags:
       - "*" # triggers only if push new tag version, like `0.8.4` or else
 
+permissions:
+  contents: read
+
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
     permissions:
-     contents: write
+      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
+    runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 1c173f95ff2..54ddccf91fb 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -13,6 +13,10 @@
 # limitations under the License.
 
 name: build
+
+permissions:
+  contents: read
+  
 on:
   push:
     branches: