diff --git a/.github/workflows/code.yml b/.github/workflows/code.yml
index 8518ff36..a15ce272 100644
--- a/.github/workflows/code.yml
+++ b/.github/workflows/code.yml
@@ -4,8 +4,15 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   go:
+    permissions:
+      contents: read # fetch code
+      pull-requests: read # fetch pull requests
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
@@ -26,6 +33,7 @@ jobs:
         with:
           version: latest
 
+  # Inherits workflow permissions.
   python:
     runs-on: ubuntu-latest
     steps:
@@ -42,6 +50,7 @@ jobs:
           pip3 install black
           find -name *.py | xargs black --check
 
+  # Inherits workflow permissions.
   jsonnet:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/conventional_commits.yml b/.github/workflows/conventional_commits.yml
index 3d10279a..3848b9fd 100644
--- a/.github/workflows/conventional_commits.yml
+++ b/.github/workflows/conventional_commits.yml
@@ -7,10 +7,16 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   conventional_commits:
-    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read # analyze PRs
+      statuses: write # update status of analyzed PR
 
+    runs-on: ubuntu-latest
     steps:
       - uses: amannn/action-semantic-pull-request@v4
         env:
diff --git a/.github/workflows/release_please.yml b/.github/workflows/release_please.yml
index 1bbfc93c..faa370ab 100644
--- a/.github/workflows/release_please.yml
+++ b/.github/workflows/release_please.yml
@@ -5,10 +5,16 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   release_please:
-    runs-on: ubuntu-latest
+    permissions:
+      contents: write # create release commit
+      pull-requests: write # create release PR
 
+    runs-on: ubuntu-latest
     steps:
       - uses: google-github-actions/release-please-action@v3
         with:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 41e71352..6b6f0ccf 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -10,9 +10,9 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '17 17 * * 2'
+    - cron: "17 17 * * 2"
   push:
-    branches: [ "main" ]
+    branches: ["main"]
 
 # Declare default permissions as read only.
 permissions: read-all