diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index a2962bada..a51a8fd52 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -9,6 +9,9 @@ on:
   schedule: # Trigger a job on default branch at 4AM PST everyday
     - cron: 0 11 * * *
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.compare || github.head_ref || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
diff --git a/.github/workflows/code-formatting-check.yaml b/.github/workflows/code-formatting-check.yaml
index 3b855f5ee..19064c4f4 100644
--- a/.github/workflows/code-formatting-check.yaml
+++ b/.github/workflows/code-formatting-check.yaml
@@ -9,6 +9,9 @@ on:
   schedule: # Trigger a job on default branch at 4AM PST everyday
     - cron: 0 11 * * *
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.compare || github.head_ref || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
@@ -33,6 +36,9 @@ jobs:
   taplo-fmt:
     name: .toml Formatting Check
     runs-on: windows-2025
+    permissions:
+      contents: read
+      actions: write # taiki-e/cache-cargo-install-action writes to GitHub Actions cache
 
     steps:
       - name: Checkout Repository
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index f009ca2a1..9079211c4 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -9,6 +9,9 @@ on:
   schedule: # Trigger a job on default branch at 4AM PST everyday
     - cron: 0 11 * * *
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.compare || github.head_ref || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
diff --git a/.github/workflows/local-development-makefile.yaml b/.github/workflows/local-development-makefile.yaml
index 45bc1b991..472f7bb56 100644
--- a/.github/workflows/local-development-makefile.yaml
+++ b/.github/workflows/local-development-makefile.yaml
@@ -9,6 +9,9 @@ on:
   schedule: # Trigger a job on default branch at 4AM PST everyday
     - cron: 0 11 * * *
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.compare || github.head_ref || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index c2bb978b2..782b2397d 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -9,6 +9,9 @@ on:
 
 name: Test
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.compare || github.head_ref || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
diff --git a/.github/workflows/typos.yaml b/.github/workflows/typos.yaml
index 0e69777d6..342485a81 100644
--- a/.github/workflows/typos.yaml
+++ b/.github/workflows/typos.yaml
@@ -9,6 +9,9 @@ on:
 
 name: Typos
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.compare || github.head_ref || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
diff --git a/.github/workflows/version-checks.yaml b/.github/workflows/version-checks.yaml
index 81c65aec7..741b332b1 100644
--- a/.github/workflows/version-checks.yaml
+++ b/.github/workflows/version-checks.yaml
@@ -7,6 +7,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.compare || github.head_ref || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}