diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index b74e53d2df..5b1c830afd 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -9,6 +9,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   ubuntu:
     if: startsWith(github.repository, 'Homebrew/')
diff --git a/.github/workflows/doctor.yml b/.github/workflows/doctor.yml
index 859b001921..4c2b66c43d 100644
--- a/.github/workflows/doctor.yml
+++ b/.github/workflows/doctor.yml
@@ -8,6 +8,8 @@ on:
       - Library/Homebrew/extend/os/diagnostic.rb
       - Library/Homebrew/extend/os/mac/diagnostic.rb
       - Library/Homebrew/os/mac/xcode.rb
+permissions:
+  contents: read
 env:
   HOMEBREW_DEVELOPER: 1
   HOMEBREW_NO_AUTO_UPDATE: 1
diff --git a/.github/workflows/sorbet.yml b/.github/workflows/sorbet.yml
index ff8b18b8a8..52dc5b878c 100644
--- a/.github/workflows/sorbet.yml
+++ b/.github/workflows/sorbet.yml
@@ -10,6 +10,9 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   tapioca:
     if: github.repository == 'Homebrew/brew'
diff --git a/.github/workflows/spdx.yml b/.github/workflows/spdx.yml
index 3797770d1b..c63b51cb37 100644
--- a/.github/workflows/spdx.yml
+++ b/.github/workflows/spdx.yml
@@ -7,6 +7,8 @@ on:
       - master
   schedule:
     - cron: "0 0 * * *"
+permissions:
+  contents: read
 jobs:
   spdx:
     if: github.repository == 'Homebrew/brew'
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index c608ffec3e..55ed1a6bb0 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -6,6 +6,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   HOMEBREW_DEVELOPER: 1
   HOMEBREW_NO_AUTO_UPDATE: 1
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index 28a1012237..654cea325f 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -12,6 +12,8 @@ on:
   schedule:
     - cron: "0 */3 * * *" # every 3 hours
 
+permissions:
+
 concurrency: triage-${{ github.ref }}
 
 jobs:
diff --git a/.github/workflows/update-man-completions.yml b/.github/workflows/update-man-completions.yml
index 71125d33c4..c307add30f 100644
--- a/.github/workflows/update-man-completions.yml
+++ b/.github/workflows/update-man-completions.yml
@@ -18,6 +18,9 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-manpage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/vendor-gems.yml b/.github/workflows/vendor-gems.yml
index 0ffadcac95..b3d0e2e1a1 100644
--- a/.github/workflows/vendor-gems.yml
+++ b/.github/workflows/vendor-gems.yml
@@ -8,6 +8,10 @@ on:
         description: Pull request number
         required: true
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   vendor-gems:
     if: >