diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 0c79ca537d..d25f54fb6b 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -17,6 +17,9 @@ concurrency:
   group: ${{ github.ref_name }}-codeql
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index b9fe65776d..ca9993ef86 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.ref_name }}-fossa
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   scan:
     name: Fossa
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 053fddb01f..4413605165 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,6 +2,9 @@ name: "Pull Request Labeler"
 on:
   - pull_request_target
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   triage:
     permissions: