diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 4c9f710b..54c7ad3e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,13 +8,14 @@ on:
   schedule:
     - cron: "39 5 * * 1"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     strategy:
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 114182c4..2c04268e 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ "master" ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   coverage:
     name: Run tests and generate coverage reports
diff --git a/.github/workflows/lint-c.yml b/.github/workflows/lint-c.yml
index e9b49b76..623f05b0 100644
--- a/.github/workflows/lint-c.yml
+++ b/.github/workflows/lint-c.yml
@@ -2,6 +2,9 @@ name: Lint C code
 
 on: [push]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   run-c-linter:
     name: Run C linter
diff --git a/.github/workflows/lint-python.yml b/.github/workflows/lint-python.yml
index 40b9a48a..5a113771 100644
--- a/.github/workflows/lint-python.yml
+++ b/.github/workflows/lint-python.yml
@@ -2,6 +2,9 @@ name: Lint Python code
 
 on: [push]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   run-python-linter:
     name: Run Python linter
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index 766a6b01..93a80949 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "17 6 * * *"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   run-unit-tests:
     name: Unit tests
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index 944f10ca..0088aa69 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ "master" ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   static-analysis:
     name: Run ledger static analysis