diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 066e70d10b0..8fa8605ed07 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -27,6 +27,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_cpu:
     runs-on: ubuntu-18.04
diff --git a/.github/workflows/build_pat.yml b/.github/workflows/build_pat.yml
index 438e27ed8a5..82eaafc0307 100644
--- a/.github/workflows/build_pat.yml
+++ b/.github/workflows/build_pat.yml
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_parrots:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f575061468b..c7fed28dd16 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 91565fe36af..a1e5aa2c083 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index b3506c7a698..1ceee3df56d 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -5,8 +5,14 @@ on:
     # check issue and pull request once every day
     - cron: '25 11 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   invalid-stale-close:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v4
diff --git a/.github/workflows/test_mim.yml b/.github/workflows/test_mim.yml
index a57dda8a999..1a8e8efbfe6 100644
--- a/.github/workflows/test_mim.yml
+++ b/.github/workflows/test_mim.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_cpu:
     runs-on: ubuntu-18.04