diff --git a/.github/workflows/postsubmit.yaml b/.github/workflows/postsubmit.yaml
index 9b3db3f5..a7a965b3 100644
--- a/.github/workflows/postsubmit.yaml
+++ b/.github/workflows/postsubmit.yaml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     if: github.repository_owner == 'google'
diff --git a/.github/workflows/presubmit.yaml b/.github/workflows/presubmit.yaml
index 34fed9e5..f377967f 100644
--- a/.github/workflows/presubmit.yaml
+++ b/.github/workflows/presubmit.yaml
@@ -6,6 +6,9 @@ on:
     branches-ignore:
       - main  # push events to main branch occur after PRs are merged, when the same checks were run
 
+permissions:
+  contents: read
+
 jobs:
   build-test:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/unstable-channel.yaml b/.github/workflows/unstable-channel.yaml
index d30f9c91..4ba4abe3 100644
--- a/.github/workflows/unstable-channel.yaml
+++ b/.github/workflows/unstable-channel.yaml
@@ -5,6 +5,9 @@ on:
     branches:
       - 'version-[0-9]+.[0-9]+-dev'
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     if: github.repository_owner == 'google'