diff --git a/.github/workflows/license-header-check.yml b/.github/workflows/license-header-check.yml
index 0ffdd4ce9..91fd4d84d 100644
--- a/.github/workflows/license-header-check.yml
+++ b/.github/workflows/license-header-check.yml
@@ -12,6 +12,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   license-header-check:
     name: License Header Check
diff --git a/.github/workflows/yarn-scan-backend-go-pr.yml b/.github/workflows/yarn-scan-backend-go-pr.yml
index 0cbe63191..58cf391c2 100644
--- a/.github/workflows/yarn-scan-backend-go-pr.yml
+++ b/.github/workflows/yarn-scan-backend-go-pr.yml
@@ -15,6 +15,9 @@ on:
       - ".yarn-audit-allowlist.json"
       - ".github/workflows/yarn-scan-backend-go-pr.yml"
 
+permissions:
+  contents: read
+
 jobs:
   yarn-scan-backend-go-pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/yarn-scan-backend-pr.yml b/.github/workflows/yarn-scan-backend-pr.yml
index 925696604..5f9958b95 100644
--- a/.github/workflows/yarn-scan-backend-pr.yml
+++ b/.github/workflows/yarn-scan-backend-pr.yml
@@ -15,6 +15,9 @@ on:
       - ".yarn-audit-allowlist.json"
       - ".github/workflows/yarn-scan-backend-pr.yml"
 
+permissions:
+  contents: read
+
 jobs:
   yarn-scan-backend-pr:
     runs-on: ubuntu-latest