diff --git a/.github/workflows/backport-bot.yml b/.github/workflows/backport-bot.yml
index dc8fd760d6..20e29ad915 100644
--- a/.github/workflows/backport-bot.yml
+++ b/.github/workflows/backport-bot.yml
@@ -6,9 +6,15 @@ on:
   push:
     branches:
       - '*.x'
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-java@v3
diff --git a/.github/workflows/clean_build_artifacts.yml b/.github/workflows/clean_build_artifacts.yml
index 84ffd72b99..81fd851ba5 100644
--- a/.github/workflows/clean_build_artifacts.yml
+++ b/.github/workflows/clean_build_artifacts.yml
@@ -8,9 +8,9 @@ permissions:
 
 jobs:
   main:
+    runs-on: ubuntu-latest
     permissions:
       contents: none
-    runs-on: ubuntu-latest
     steps:
       - name: Delete artifacts in cron job
         env:
diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml
index a50ca4dfb7..afccccb3c6 100644
--- a/.github/workflows/continuous-integration-workflow.yml
+++ b/.github/workflows/continuous-integration-workflow.yml
@@ -20,6 +20,9 @@ env:
   ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
   RUN_JOBS: ${{ github.repository == 'spring-projects/spring-security' }}
 
+permissions:
+  contents: read
+
 jobs:
   prerequisites:
     name: Pre-requisites for building
@@ -233,11 +236,11 @@ jobs:
           DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
           DOCS_HOST: ${{ secrets.DOCS_HOST }}
   perform_release:
-    permissions:
-      contents: write  # for Git to git push
     name: Perform release
     needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     timeout-minutes: 90
     if: ${{ !endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
     env:
@@ -326,6 +329,9 @@ jobs:
     name: Perform post-release
     needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     timeout-minutes: 90
     if: ${{ endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
     env:
@@ -341,6 +347,8 @@ jobs:
     needs: [build_jdk_17, snapshot_tests, check_samples, check_tangles, deploy_artifacts, deploy_docs, deploy_schema, perform_release, perform_post_release]
     if: failure()
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     steps:
       - name: Send Slack message
         # Workaround while waiting for Gamesight/slack-workflow-status#38 to be fixed
diff --git a/.github/workflows/milestone-spring-releasetrain.yml b/.github/workflows/milestone-spring-releasetrain.yml
index 5d758ebcb4..67bbb104b2 100644
--- a/.github/workflows/milestone-spring-releasetrain.yml
+++ b/.github/workflows/milestone-spring-releasetrain.yml
@@ -5,12 +5,14 @@ on:
 env:
   DUE_ON: ${{ github.event.milestone.due_on }}
   TITLE: ${{ github.event.milestone.title }}
+permissions:
+  contents: read
 jobs:
   spring-releasetrain-checks:    
-    permissions:
-      contents: none
     name: Check DueOn is on a Release Date
     runs-on: ubuntu-latest
+    permissions:
+      contents: none
     steps:
     - name: Print Milestone Being Checked
       run: echo "Validating DueOn '$DUE_ON' for milestone '$TITLE'"
@@ -25,6 +27,8 @@ jobs:
     needs: [spring-releasetrain-checks]
     if: failure()
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     steps:
       - name: Send Slack message
         uses: Gamesight/slack-workflow-status@v1.0.1
diff --git a/.github/workflows/release-scheduler.yml b/.github/workflows/release-scheduler.yml
index 0762c8fb69..ef67823ce5 100644
--- a/.github/workflows/release-scheduler.yml
+++ b/.github/workflows/release-scheduler.yml
@@ -5,6 +5,9 @@ on:
     - cron: '15 15 * * MON' # Every Monday at 3:15pm UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   dispatch_scheduled_releases:
     name: Dispatch scheduled releases
diff --git a/.github/workflows/update-scheduled-release-version.yml b/.github/workflows/update-scheduled-release-version.yml
index c0cd529f6f..199e3638d7 100644
--- a/.github/workflows/update-scheduled-release-version.yml
+++ b/.github/workflows/update-scheduled-release-version.yml
@@ -9,11 +9,17 @@ env:
   GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
   GRADLE_ENTERPRISE_SECRET_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
 
+permissions:
+  contents: read
+
 jobs:
   update_scheduled_release_version:
     name: Initiate Release If Scheduled
     if: ${{ github.repository == 'spring-projects/spring-security' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
     steps:
       - id: checkout-source
         name: Checkout Source Code