diff --git a/.github/workflows/build-ngwaf-compute-integration.yaml b/.github/workflows/build-ngwaf-compute-integration.yaml
index 6fa208d..4f65752 100644
--- a/.github/workflows/build-ngwaf-compute-integration.yaml
+++ b/.github/workflows/build-ngwaf-compute-integration.yaml
@@ -1,5 +1,7 @@
 name: Build ngwaf-compute-integration
 on: push
+permissions:
+  contents: read
 
 jobs:
   build-ngwaf-compute-integration:
diff --git a/.github/workflows/github-action.yml b/.github/workflows/github-action.yml
index 18a6a3e..d8d090d 100644
--- a/.github/workflows/github-action.yml
+++ b/.github/workflows/github-action.yml
@@ -1,7 +1,8 @@
 # This is a basic workflow to help you get started with Actions
 
 name: CI
-
+permissions:
+  contents: read
 # Controls when the workflow will run
 on:
   # Triggers the workflow on push or pull request events but only for the "main" branch
diff --git a/.github/workflows/ngwaf-envoy.yaml b/.github/workflows/ngwaf-envoy.yaml
index 1f10fe7..d2a23dd 100644
--- a/.github/workflows/ngwaf-envoy.yaml
+++ b/.github/workflows/ngwaf-envoy.yaml
@@ -1,4 +1,6 @@
 name: Envoy NGWAF Deployment
+permissions:
+  contents: read
 
 on:
   workflow_dispatch:
diff --git a/.github/workflows/ngwaf-k8s-module-agent.yaml b/.github/workflows/ngwaf-k8s-module-agent.yaml
index 0df0c37..43296f6 100644
--- a/.github/workflows/ngwaf-k8s-module-agent.yaml
+++ b/.github/workflows/ngwaf-k8s-module-agent.yaml
@@ -1,4 +1,6 @@
 name: k8s module-agent NGWAF Deployment
+permissions:
+  contents: read
 
 on:
   workflow_dispatch:
diff --git a/.github/workflows/ngwaf-proxy-rate-limit.yaml b/.github/workflows/ngwaf-proxy-rate-limit.yaml
index 6a2ae01..50c028c 100644
--- a/.github/workflows/ngwaf-proxy-rate-limit.yaml
+++ b/.github/workflows/ngwaf-proxy-rate-limit.yaml
@@ -1,4 +1,6 @@
 name: Rate Limiting Demo
+permissions:
+  contents: read
 
 on:
   workflow_dispatch: