diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 18cba71c..28c16d1d 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -1,5 +1,9 @@
 on: [pull_request]
 
+
+permissions:
+  contents: read
+
 name: Check
 
 jobs:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index c581a007..b539d090 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,11 @@ on:
   schedule:
     - cron: '0 0 * * 2'
 
+
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml
index d2d7727b..8fbbc95f 100644
--- a/.github/workflows/notifications.yml
+++ b/.github/workflows/notifications.yml
@@ -7,6 +7,10 @@ on:
   issue_comment:
     types: [created]
 
+
+permissions:
+  contents: read
+
 jobs:
   issue-notifications:
     name: Send Notifications