diff --git a/.github/workflows/composer-install.yml b/.github/workflows/composer-install.yml
index bbe7797..552313a 100644
--- a/.github/workflows/composer-install.yml
+++ b/.github/workflows/composer-install.yml
@@ -8,6 +8,11 @@ on:
       - "composer.json"
       - "composer.lock"
 
+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 jobs:
   ComposerInstall:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/compress-images.yml b/.github/workflows/compress-images.yml
index 92fd609..999a449 100644
--- a/.github/workflows/compress-images.yml
+++ b/.github/workflows/compress-images.yml
@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: "00 23 * * 0"
 
+permissions:
+  contents: read
+  statuses: read
+
 jobs:
   CompressOnDemandOrSchedule:
     name: calibreapp/image-actions
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index d4889c4..85692be 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -12,6 +12,11 @@ name: "Dependency Review"
 
 on: [pull_request]
 
+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/laravel-phpunit.yml b/.github/workflows/laravel-phpunit.yml
index 653cd86..137be32 100644
--- a/.github/workflows/laravel-phpunit.yml
+++ b/.github/workflows/laravel-phpunit.yml
@@ -7,6 +7,11 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 jobs:
   laravel-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-compress-images.yml b/.github/workflows/pr-compress-images.yml
index 3500ba3..d708574 100644
--- a/.github/workflows/pr-compress-images.yml
+++ b/.github/workflows/pr-compress-images.yml
@@ -11,6 +11,11 @@ on:
       - "**.png"
       - "**.webp"
 
+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 jobs:
   CompressInPR:
     # Only run on Pull Requests within the same repository, and not from forks.
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
index 2fdcf56..ae442e7 100644
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -24,6 +24,11 @@ on:
   pull_request:
     branches: [master, main]
 
+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 ###############
 # Set the Job #
 ###############
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index c3e3094..6db5053 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -4,6 +4,11 @@ name: Release Drafter
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 jobs:
   update_release_draft:
     name: ✏️ Draft release
diff --git a/.github/workflows/release-monthly.yaml b/.github/workflows/release-monthly.yaml
index aa98656..3d8ac41 100644
--- a/.github/workflows/release-monthly.yaml
+++ b/.github/workflows/release-monthly.yaml
@@ -7,6 +7,11 @@ on:
   schedule:
     - cron: "0 0 1 * *" # 1st of every month at midnight
 
+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 jobs:
   release:
     name: Release
diff --git a/.github/workflows/reviewdog-linters.yml b/.github/workflows/reviewdog-linters.yml
index 710f600..94f42f6 100644
--- a/.github/workflows/reviewdog-linters.yml
+++ b/.github/workflows/reviewdog-linters.yml
@@ -3,6 +3,10 @@ name: Reviewdog Linters
 
 on: [pull_request]
 
+permissions:
+  contents: read
+  statuses: read
+
 jobs:
   linters:
     name: Linters
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index b03940f..a05e2e1 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,6 +7,11 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 jobs:
   stale:
     name: 🧹 Clean up stale issues and PRs
diff --git a/.github/workflows/sync-labels-to-own-projects.yml b/.github/workflows/sync-labels-to-own-projects.yml
index 60bf7a7..617d181 100644
--- a/.github/workflows/sync-labels-to-own-projects.yml
+++ b/.github/workflows/sync-labels-to-own-projects.yml
@@ -12,6 +12,10 @@ on:
   schedule:
     - cron: "0 0 * * *" # Every day at midnight
 
+permissions:
+  contents: read
+  statuses: read
+
 jobs:
   sync-labels:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 5e5de18..e8bdd38 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -13,6 +13,10 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  statuses: read
+
 jobs:
   labels:
     name: ♻️ Sync labels