diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 481c85deb..73a61ed98 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: '45 2 * * 0'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index e21f9108e..732cdca13 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -6,6 +6,10 @@ on:
     branches:
       - "*"
   pull_request:
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   golangci:
     name: lint
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 13a18b5c2..dddc821c6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,6 +10,10 @@ on:
         - release-1.0
         - release-1.1
 
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build: