diff --git a/.github/workflows/aggregate-on-push.yml b/.github/workflows/aggregate-on-push.yml
index ad3f9e6..aae046d 100644
--- a/.github/workflows/aggregate-on-push.yml
+++ b/.github/workflows/aggregate-on-push.yml
@@ -1,15 +1,18 @@
-name: aggregate-on-push
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  aggregate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: ./.github/actions/aggregate-on-push
-        with:
-            GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+name: aggregate-on-push
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  aggregate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/aggregate-on-push
+        with:
+            GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml
index b241e6e..a331c12 100644
--- a/.github/workflows/on_pr.yml
+++ b/.github/workflows/on_pr.yml
@@ -1,5 +1,8 @@
 name: Submission PR Review
 on: pull_request
+permissions:
+  contents: read
+
 jobs:
   verify:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate-all-prs-on-trigger.yml b/.github/workflows/validate-all-prs-on-trigger.yml
index eaaf32d..605d29d 100644
--- a/.github/workflows/validate-all-prs-on-trigger.yml
+++ b/.github/workflows/validate-all-prs-on-trigger.yml
@@ -3,6 +3,9 @@ name: validate-all-prs-on-trigger
 on:
   workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest