diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 35eab0860..08e3bc1d6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,8 @@ on: [push, pull_request, workflow_dispatch]
 env:
   BUILD_TYPE: Debug
 
+permissions: read-all
+
 jobs:
 
 
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index eebd8261b..ff5c1d5f0 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -15,6 +15,8 @@ on:
       DOCKERHUB_TOKEN:
         required: true
 
+permissions: read-all
+
 jobs:
   docker:
     runs-on: ubuntu-20.04
@@ -65,4 +67,4 @@ jobs:
         if: ${{ inputs.tag-latest == 'true' }}
         run: |
           docker tag modelcpp/codecompass:runtime-pgsql modelcpp/codecompass:latest
-          docker push modelcpp/codecompass:latest
\ No newline at end of file
+          docker push modelcpp/codecompass:latest
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index 55c3aab14..1967351fc 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -2,6 +2,8 @@ name: Frontend linting
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions: read-all
+
 jobs:
     linting:
         runs-on: ubuntu-20.04
diff --git a/.github/workflows/tarball.yml b/.github/workflows/tarball.yml
index c1d416d9b..126fd6dbe 100644
--- a/.github/workflows/tarball.yml
+++ b/.github/workflows/tarball.yml
@@ -7,6 +7,8 @@ on:
       GITLAB_TRIGGER_TOKEN:
         required: true
 
+permissions: read-all
+
 jobs:
   tarball:
     runs-on: ubuntu-20.04