diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index c1c4c2e584..215a2e2ef9 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -2,6 +2,9 @@ name: backport
 on:
   pull_request_target:
     types: [closed, labeled]
+
+permissions: {}
+
 jobs:
   backport:
     permissions:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b4ad785f43..978517dba0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,6 +12,9 @@ on:
       - '.github/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/build_dummy.yml b/.github/workflows/build_dummy.yml
index 141bdfaeda..c29a3a7800 100644
--- a/.github/workflows/build_dummy.yml
+++ b/.github/workflows/build_dummy.yml
@@ -14,6 +14,8 @@ on:
       - 'cmake.*/**'
       - '.github/**'
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 814e5d504b..edd0d1ba63 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,6 +12,8 @@ on:
     branches: [ "master" ]
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index a0ba9091e6..67c6dbc822 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -4,6 +4,9 @@ on:
     - cron: '10 0 * * *'  # Run every day at 00:10
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   scan:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index d652129f46..40787a1b8f 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -2,6 +2,9 @@ name: docs
 on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
+
+permissions: {}
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/labeler_issue.yml b/.github/workflows/labeler_issue.yml
index 1c4d3b9402..75c7c1f2e9 100644
--- a/.github/workflows/labeler_issue.yml
+++ b/.github/workflows/labeler_issue.yml
@@ -2,6 +2,9 @@ name: "labeler: issue"
 on:
   issues:
     types: [opened]
+
+permissions: {}
+
 jobs:
   labeler:
     permissions:
diff --git a/.github/workflows/labeler_pr.yml b/.github/workflows/labeler_pr.yml
index d9fd0abffe..ed9321a897 100644
--- a/.github/workflows/labeler_pr.yml
+++ b/.github/workflows/labeler_pr.yml
@@ -2,6 +2,9 @@ name: "labeler: PR"
 on:
   pull_request_target:
     types: [opened]
+
+permissions: {}
+
 jobs:
   changed-files:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lintcommit.yml b/.github/workflows/lintcommit.yml
index 9bf51db6cc..1bcb2becb9 100644
--- a/.github/workflows/lintcommit.yml
+++ b/.github/workflows/lintcommit.yml
@@ -4,6 +4,10 @@ on:
     types: [opened, synchronize, reopened, ready_for_review]
     branches:
       - 'master'
+
+permissions:
+  contents: read
+
 jobs:
   lint-commits:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lintcommit_dummy.yml b/.github/workflows/lintcommit_dummy.yml
index e4a0c4af2d..fde80474b7 100644
--- a/.github/workflows/lintcommit_dummy.yml
+++ b/.github/workflows/lintcommit_dummy.yml
@@ -8,6 +8,9 @@ on:
     types: [opened, synchronize, reopened, ready_for_review]
     branches:
       - 'release-[0-9]+.[0-9]+'
+
+permissions: {}
+
 jobs:
   lint-commits:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lintdocurls.yml b/.github/workflows/lintdocurls.yml
index b63167e67a..424429933e 100644
--- a/.github/workflows/lintdocurls.yml
+++ b/.github/workflows/lintdocurls.yml
@@ -4,6 +4,8 @@ on:
     - cron: '22 22 * * 5'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check-unreachable-urls:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/news.yml b/.github/workflows/news.yml
index dd7465a9be..56be287eac 100644
--- a/.github/workflows/news.yml
+++ b/.github/workflows/news.yml
@@ -4,6 +4,10 @@ on:
     types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
     branches:
     - 'master'
+
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/optional.yml b/.github/workflows/optional.yml
index 540daccc56..acaf3644c7 100644
--- a/.github/workflows/optional.yml
+++ b/.github/workflows/optional.yml
@@ -4,6 +4,9 @@ on:
     types: [labeled, opened, synchronize, reopened]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9e2d88a006..76440c1ebc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ on:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+
 
+permissions:
+  contents: read
+
 # Build on the oldest supported images, so we have broader compatibility
 jobs:
   setup:
diff --git a/.github/workflows/response.yml b/.github/workflows/response.yml
index a518249ad1..b104334bb4 100644
--- a/.github/workflows/response.yml
+++ b/.github/workflows/response.yml
@@ -5,6 +5,8 @@ on:
   workflow_dispatch:
   issue_comment:
 
+permissions: {}
+
 jobs:
   close:
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
diff --git a/.github/workflows/reviewers_add.yml b/.github/workflows/reviewers_add.yml
index cd594ebb28..5f07f4994e 100644
--- a/.github/workflows/reviewers_add.yml
+++ b/.github/workflows/reviewers_add.yml
@@ -3,6 +3,9 @@ on:
   pull_request_target:
     types: [labeled, ready_for_review, reopened]
   workflow_call:
+
+permissions: {}
+
 jobs:
   request-reviewer:
     if: github.event.pull_request.state == 'open' && github.event.pull_request.draft == false && !endsWith(github.actor, '[bot]')
diff --git a/.github/workflows/reviewers_remove.yml b/.github/workflows/reviewers_remove.yml
index 11a46ead87..98a207264e 100644
--- a/.github/workflows/reviewers_remove.yml
+++ b/.github/workflows/reviewers_remove.yml
@@ -2,6 +2,9 @@ name: "reviewers: remove"
 on:
   pull_request_target:
     types: [converted_to_draft, closed]
+
+permissions: {}
+
 jobs:
   remove-reviewers:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d69f38c9fd..578669c338 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,6 +10,9 @@ on:
       - 'release-[0-9]+.[0-9]+'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/test_windows.yml b/.github/workflows/test_windows.yml
index 9099548f1a..5bc9de73b1 100644
--- a/.github/workflows/test_windows.yml
+++ b/.github/workflows/test_windows.yml
@@ -9,6 +9,9 @@ on:
         type: number
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   windows:
     runs-on: windows-2025
diff --git a/.github/workflows/vim_patches.yml b/.github/workflows/vim_patches.yml
index c710cb72bd..73c2c97fac 100644
--- a/.github/workflows/vim_patches.yml
+++ b/.github/workflows/vim_patches.yml
@@ -4,6 +4,8 @@ on:
     - cron: '3 3 * * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   update-vim-patches:
     runs-on: ubuntu-latest