diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 217bef2ad..c9397fc8a 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,8 +1,13 @@
 name: CIFuzz
+
 on:
   pull_request:
     branches:
       - master
+
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 5a2e94569..1ad2763ea 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,6 +1,11 @@
 name: golangci-lint
+
 on:
   pull_request:
+
+permissions:
+  contents: read
+
 jobs:
   golangci:
     name: lint
diff --git a/.github/workflows/make.doc.yml b/.github/workflows/make.doc.yml
index ed00e785b..471ca31bd 100644
--- a/.github/workflows/make.doc.yml
+++ b/.github/workflows/make.doc.yml
@@ -4,7 +4,8 @@ on:
   schedule:
     - cron: '22 10 * * 0'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   fix:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8fa671b57..d1b1b4bad 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
         description: "Commit (e.g., 52f0348)"
         default: "master"
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release