diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 3d8d359a1..c3aa840db 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,5 +1,7 @@
 name: Build
 on: [push, pull_request]
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 52687f6ce..e4e082f38 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,8 @@ on:
   schedule:
     - cron: '20 14 * * 5'
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml
index 27f29dc7b..a1429c9fd 100644
--- a/.github/workflows/contrib.yaml
+++ b/.github/workflows/contrib.yaml
@@ -1,5 +1,6 @@
 name: Test contrib/mixin
 on: [push, pull_request]
+permissions: read-all
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index ddd0232ec..c5225f7f9 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -1,5 +1,6 @@
 name: Coverage
 on: [push]
+permissions: read-all
 jobs:
   coverage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 01286cead..001199ca8 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -1,8 +1,11 @@
 name: E2E
 on: [push, pull_request]
+permissions: read-all
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     strategy:
       fail-fast: true
       matrix:
diff --git a/.github/workflows/functional.yaml b/.github/workflows/functional.yaml
index 155e3e4fa..d39d9a024 100644
--- a/.github/workflows/functional.yaml
+++ b/.github/workflows/functional.yaml
@@ -1,5 +1,6 @@
 name: functional-tests
 on: [push, pull_request]
+permissions: read-all
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/fuzzing.yaml b/.github/workflows/fuzzing.yaml
index 5e93c0c8d..75bf98a44 100644
--- a/.github/workflows/fuzzing.yaml
+++ b/.github/workflows/fuzzing.yaml
@@ -1,5 +1,6 @@
 name: Fuzzing v3rpc
 on: [push, pull_request]
+permissions: read-all
 jobs:
   fuzzing:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/govuln.yaml b/.github/workflows/govuln.yaml
index 67bf37044..8794daf07 100644
--- a/.github/workflows/govuln.yaml
+++ b/.github/workflows/govuln.yaml
@@ -1,5 +1,6 @@
 name: Go Vulnerability Checker
 on: [push, pull_request]
+permissions: read-all
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/grpcproxy.yaml b/.github/workflows/grpcproxy.yaml
index 42350423b..d5fefb4fc 100644
--- a/.github/workflows/grpcproxy.yaml
+++ b/.github/workflows/grpcproxy.yaml
@@ -1,5 +1,6 @@
 name: grpcProxy-tests
 on: [push, pull_request]
+permissions: read-all
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/linearizability.yaml b/.github/workflows/linearizability.yaml
index 7303a3509..3d6b53e7d 100644
--- a/.github/workflows/linearizability.yaml
+++ b/.github/workflows/linearizability.yaml
@@ -1,5 +1,6 @@
 name: Linearizability
 on: [push, pull_request]
+permissions: read-all
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/measure-test-flakiness.yaml b/.github/workflows/measure-test-flakiness.yaml
index 68a555a0c..bf793c270 100644
--- a/.github/workflows/measure-test-flakiness.yaml
+++ b/.github/workflows/measure-test-flakiness.yaml
@@ -1,9 +1,12 @@
 name: Measure Test Flakiness
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: "0 0 * * 0"
 
+permissions: read-all
+
 jobs:
   measure-test-flakiness:
     name: Measure Test Flakiness
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index b207e1a8c..a6546920c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,7 +1,10 @@
 name: Release
 on: [push, pull_request]
+permissions: read-all
 jobs:
   main:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml
index fb7dd44ae..8905f46ce 100644
--- a/.github/workflows/static-analysis.yaml
+++ b/.github/workflows/static-analysis.yaml
@@ -1,5 +1,6 @@
 name: Static Analysis
 on: [push, pull_request]
+permissions: read-all
 jobs:
   run:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 4a3f977df..11ee3240c 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -1,5 +1,6 @@
 name: Tests
 on: [push, pull_request]
+permissions: read-all
 jobs:
   test:
     runs-on: ubuntu-latest