diff --git a/.github/workflows/htmlvalidator.yml b/.github/workflows/htmlvalidator.yml
index ee62b914d7d..2729ec80fb4 100644
--- a/.github/workflows/htmlvalidator.yml
+++ b/.github/workflows/htmlvalidator.yml
@@ -5,6 +5,9 @@ on:
     paths:
       - '**.htm*'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/licensecheck.yml b/.github/workflows/licensecheck.yml
index 5788e0debf7..32b1b9e134e 100644
--- a/.github/workflows/licensecheck.yml
+++ b/.github/workflows/licensecheck.yml
@@ -14,6 +14,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   call-license-check:
     permissions:
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index a33fd24222a..f542e336227 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -9,6 +9,10 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+  issues: read
+
 jobs:
   check-freeze-period:
     uses: ./.github/workflows/verifyFreezePeriod.yml