diff --git a/.github/workflows/bake.yaml b/.github/workflows/bake.yaml
index 85df165d..5da216d3 100644
--- a/.github/workflows/bake.yaml
+++ b/.github/workflows/bake.yaml
@@ -17,6 +17,8 @@ on:
         default: ""
         description: "A comma separated list of targets to build. If empty, all targets will be built."
 
+permissions: read-all
+
 jobs:
   # Start by building images for testing. We want to run security checks before pushing those to production.
   testbuild:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index afaed676..5cc1a195 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,6 +8,8 @@ on:
       - Debian/ClusterImageCatalog*.yaml
   workflow_dispatch:
 
+permissions: read-all
+
 env:
   IMAGE_STAGING: "ghcr.io/${{ github.repository_owner }}/postgresql-testing"
   IMAGE_RELEASE: "ghcr.io/${{ github.repository_owner }}/postgresql"
@@ -179,6 +181,8 @@ jobs:
     name: Generate ClusterImageCatalog
     runs-on: ubuntu-24.04
     needs: build
+    permissions:
+      contents: write
     steps:
       - name: Checkout Code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 3bf7c047..0ddc0db6 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -9,6 +9,8 @@ defaults:
   run:
     shell: 'bash -Eeuo pipefail -x {0}'
 
+permissions: read-all
+
 jobs:
   build:
     name: Run update script