diff --git a/.github/workflows/branch.yml b/.github/workflows/branch.yml
index 31e624ed7..1a9dc9b01 100644
--- a/.github/workflows/branch.yml
+++ b/.github/workflows/branch.yml
@@ -4,6 +4,8 @@ name: Branch Checks
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   target_branch:
     name: PR targets branch
diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
index ed9ba265c..6039421de 100644
--- a/.github/workflows/codeowners.yml
+++ b/.github/workflows/codeowners.yml
@@ -7,6 +7,8 @@ on:
       - 'CODEOWNERS'
       - 'CODEOWNERS.in'
 
+permissions: {}
+
 jobs:
   updated:
     name: Up-to-date
diff --git a/.github/workflows/cross.yml b/.github/workflows/cross.yml
index 604ceb447..93f9509fb 100644
--- a/.github/workflows/cross.yml
+++ b/.github/workflows/cross.yml
@@ -5,6 +5,8 @@ on:
   pull_request:
     types: [ready_for_review, opened, reopened, synchronize, converted_to_draft, labeled]
 
+permissions: {}
+
 jobs:
   cross:
     name: Cross-Build
diff --git a/.github/workflows/dependent-issues.yml b/.github/workflows/dependent-issues.yml
index 91bde50c7..aec23b744 100644
--- a/.github/workflows/dependent-issues.yml
+++ b/.github/workflows/dependent-issues.yml
@@ -19,6 +19,11 @@ on:
   schedule:
     - cron: '0 0/6 * * *'  # every 6 hours
 
+permissions:
+  issues: write
+  pull-requests: write
+  statuses: write
+
 jobs:
   check:
     name: Check Dependencies
diff --git a/.github/workflows/e2e-full.yml b/.github/workflows/e2e-full.yml
index aebf29764..34151cb48 100644
--- a/.github/workflows/e2e-full.yml
+++ b/.github/workflows/e2e-full.yml
@@ -5,6 +5,8 @@ on:
   pull_request:
     types: [labeled, opened, synchronize, reopened]
 
+permissions: {}
+
 jobs:
   e2e:
     name: E2E
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 3497da5fe..ce0957b14 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -4,6 +4,8 @@ name: End to End Default
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   e2e:
     name: E2E
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index af5644fab..789362b0f 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -4,6 +4,8 @@ name: Linting
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   apply-suggestions-commits:
     name: 'No "Apply suggestions from code review" Commits'
diff --git a/.github/workflows/multiarch.yml b/.github/workflows/multiarch.yml
index b08708fcb..2f974d5d8 100644
--- a/.github/workflows/multiarch.yml
+++ b/.github/workflows/multiarch.yml
@@ -4,6 +4,8 @@ name: Multi-arch Builds
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   check-multiarch:
     name: Check the multi-arch builds
diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
index 879a08175..ccf590a64 100644
--- a/.github/workflows/periodic.yml
+++ b/.github/workflows/periodic.yml
@@ -5,6 +5,8 @@ on:
   schedule:
     - cron: "0 0 * * 0"
 
+permissions: {}
+
 jobs:
   markdown-link-check-periodic:
     name: Markdown Links (all files)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6cb67ede8..993d60d60 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,8 @@ on:
       - devel
       - release-*
 
+permissions: {}
+
 jobs:
   release:
     name: Release Images
diff --git a/.github/workflows/release_subctl_on_push.yml b/.github/workflows/release_subctl_on_push.yml
index a6393bbee..9087b7d48 100644
--- a/.github/workflows/release_subctl_on_push.yml
+++ b/.github/workflows/release_subctl_on_push.yml
@@ -6,6 +6,8 @@ on:
     branches:
       - devel
 
+permissions: {}
+
 jobs:
   release-subctl-on-push:
     if: github.repository_owner == 'submariner-io'
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
index 805c74945..f41147c07 100644
--- a/.github/workflows/report.yml
+++ b/.github/workflows/report.yml
@@ -7,11 +7,15 @@ on:
       - devel
       - release-*
 
+permissions: {}
+
 jobs:
   vulnerability-scan:
     name: Vulnerability Scanning
     if: github.repository_owner == 'submariner-io'
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Check out the repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
diff --git a/.github/workflows/system.yml b/.github/workflows/system.yml
index f524a1a54..70cccbead 100644
--- a/.github/workflows/system.yml
+++ b/.github/workflows/system.yml
@@ -4,6 +4,8 @@ name: System Tests
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   system-test:
     name: Subctl Commands
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
index 1fd238724..c659db6ac 100644
--- a/.github/workflows/unit.yml
+++ b/.github/workflows/unit.yml
@@ -7,6 +7,8 @@ on:
     tags:
       - 'v**'
 
+permissions: {}
+
 jobs:
   unit-testing:
     name: Go Unit Tests
diff --git a/.github/workflows/upgrade-e2e.yml b/.github/workflows/upgrade-e2e.yml
index 3c2f9571a..bd21fe6ea 100644
--- a/.github/workflows/upgrade-e2e.yml
+++ b/.github/workflows/upgrade-e2e.yml
@@ -6,6 +6,8 @@ on:
     types: [ready_for_review, opened, reopened, synchronize, converted_to_draft, labeled]
     branches: [devel]
 
+permissions: {}
+
 jobs:
   upgrade-e2e:
     name: Latest Release to Latest Version