diff --git a/.github/workflows/maven_build_and_verify.yml b/.github/workflows/maven_build_and_verify.yml
index ef72068c..c41a51f4 100644
--- a/.github/workflows/maven_build_and_verify.yml
+++ b/.github/workflows/maven_build_and_verify.yml
@@ -26,6 +26,9 @@ on:
 env:
   SIGNING_ENABLED: ${{ github.event.inputs.signJarArtifacts }}
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/remove_old_artifacts.yml b/.github/workflows/remove_old_artifacts.yml
index 542c74aa..6d1ca773 100644
--- a/.github/workflows/remove_old_artifacts.yml
+++ b/.github/workflows/remove_old_artifacts.yml
@@ -5,6 +5,9 @@ on:
     # Every day at 1am
     - cron: '0 1 * * *'
 
+permissions:
+  actions: write
+
 jobs:
   remove-old-artifacts:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
index 20c17a51..4f724f2e 100644
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -12,6 +12,9 @@ on:
   pull_request:
     branches: [ "develop" ]
 
+permissions:
+  contents: read
+
 jobs:
   TruffleHog:
     runs-on: ubuntu-latest