diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index f6d3a616a..cc231b462 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -6,6 +6,9 @@ on:
   schedule:
   - cron: '15 4 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   # Run our nightly builds.  We build a matrix with the various build
   # targets and their details.  Then we build either in a docker container
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 5e456a816..3de084b8d 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -13,6 +13,9 @@ env:
   docker-registry: ghcr.io
   docker-config-path: source/ci/docker
 
+permissions:
+  contents: read
+
 jobs:
   containers:
     uses: ./.github/workflows/build-containers.yml
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index fa7ef715f..ae55b36c0 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -10,6 +10,9 @@ env:
   docker-registry: ghcr.io
   docker-config-path: source/ci/docker
 
+permissions:
+  contents: read
+
 jobs:
   # Run our nightly builds.  We build a matrix with the various build
   # targets and their details.  Then we build either in a docker container
@@ -385,6 +388,11 @@ jobs:
     # from using build minutes on their forks.
     if: github.repository == 'libgit2/libgit2'
 
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
     name: CodeQL
     runs-on: ubuntu-latest
     steps: