diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
index 0cc9d07f9..2d8e60493 100644
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@@ -5,6 +5,9 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+
 jobs:
   # Compile the binaries and upload artifacts
   compile-binaries:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 71d804e5a..e24187c5f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+  actions: read
+
 env:
   COLUMNS: 120
 
diff --git a/.github/workflows/nightly-throughput-stress.yml b/.github/workflows/nightly-throughput-stress.yml
index 4b777fc55..10883b792 100644
--- a/.github/workflows/nightly-throughput-stress.yml
+++ b/.github/workflows/nightly-throughput-stress.yml
@@ -26,7 +26,7 @@ on:
         type: number
 
 permissions:
-    contents: read
+  contents: read
 
 env:
   # Workflow configuration
@@ -173,4 +173,4 @@ jobs:
               ]
             }
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}
\ No newline at end of file
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 7e1e30d68..505fd507d 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -5,6 +5,9 @@ on:
     # (12 AM PST)
     - cron: "00 07 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   nightly:
     uses: ./.github/workflows/run-bench.yml
diff --git a/.github/workflows/omes.yml b/.github/workflows/omes.yml
index 6b1287739..6afa925e1 100644
--- a/.github/workflows/omes.yml
+++ b/.github/workflows/omes.yml
@@ -5,6 +5,10 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   omes-image-build:
     uses: temporalio/omes/.github/workflows/docker-images.yml@main
diff --git a/.github/workflows/run-bench.yml b/.github/workflows/run-bench.yml
index 6dcad63e8..7f108e1db 100644
--- a/.github/workflows/run-bench.yml
+++ b/.github/workflows/run-bench.yml
@@ -18,6 +18,9 @@ on:
           - "--sandbox"
           - "--no-sandbox"
 
+permissions:
+  contents: read
+
 jobs:
   run-bench:
     strategy:
@@ -68,4 +71,4 @@ jobs:
       - run: poe run-bench --workflow-count 10000 --max-cached-workflows 10000 --max-concurrent 10000 ${{ inputs.sandbox-arg }}
 
       - run: poe run-bench --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000 ${{ inputs.sandbox-arg }}
-      - run: poe run-bench --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000 ${{ inputs.sandbox-arg }}
\ No newline at end of file
+      - run: poe run-bench --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000 ${{ inputs.sandbox-arg }}