diff --git a/.github/workflows/_check_code.yaml b/.github/workflows/_check_code.yaml
index 262ef963..21d9df33 100644
--- a/.github/workflows/_check_code.yaml
+++ b/.github/workflows/_check_code.yaml
@@ -7,6 +7,9 @@ on:
   # Runs when invoked by another workflow.
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   actions_lint_check:
     name: Actions lint check
diff --git a/.github/workflows/_check_docs.yaml b/.github/workflows/_check_docs.yaml
index 5ea476d1..893e0db0 100644
--- a/.github/workflows/_check_docs.yaml
+++ b/.github/workflows/_check_docs.yaml
@@ -7,6 +7,9 @@ on:
   # Runs when invoked by another workflow.
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   doc_checks:
     name: Doc checks
diff --git a/.github/workflows/_release_docs.yaml b/.github/workflows/_release_docs.yaml
index e0f5e0c5..2429b3af 100644
--- a/.github/workflows/_release_docs.yaml
+++ b/.github/workflows/_release_docs.yaml
@@ -11,6 +11,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 env:
   NODE_VERSION: 22
   PYTHON_VERSION: 3.14
diff --git a/.github/workflows/_tests.yaml b/.github/workflows/_tests.yaml
index 465af07a..84b6644b 100644
--- a/.github/workflows/_tests.yaml
+++ b/.github/workflows/_tests.yaml
@@ -7,6 +7,9 @@ on:
   # Runs when invoked by another workflow.
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   unit_tests:
     name: Unit tests
diff --git a/.github/workflows/manual_release_stable.yaml b/.github/workflows/manual_release_stable.yaml
index c3d9ee9e..5d8c1f9c 100644
--- a/.github/workflows/manual_release_stable.yaml
+++ b/.github/workflows/manual_release_stable.yaml
@@ -25,6 +25,9 @@ concurrency:
   group: release
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   code_checks:
     name: Code checks
@@ -51,6 +54,8 @@ jobs:
   changelog_update:
     name: Changelog update
     needs: [release_prepare]
+    permissions:
+      contents: write
     uses: apify/workflows/.github/workflows/python_bump_and_update_changelog.yaml@main
     with:
       version_number: ${{ needs.release_prepare.outputs.version_number }}
@@ -61,6 +66,8 @@ jobs:
     name: GitHub release
     needs: [release_prepare, changelog_update]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
@@ -98,6 +105,10 @@ jobs:
   doc_release:
     name: Doc release
     needs: [changelog_update, pypi_publish]
+    permissions:
+      contents: write
+      pages: write
+      id-token: write
     uses: ./.github/workflows/_release_docs.yaml
     with:
       # Use the ref from the changelog update to include the updated changelog.
diff --git a/.github/workflows/on_issue.yaml b/.github/workflows/on_issue.yaml
index c758a371..db6a3047 100644
--- a/.github/workflows/on_issue.yaml
+++ b/.github/workflows/on_issue.yaml
@@ -6,6 +6,9 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   label_issues:
     name: Add labels
diff --git a/.github/workflows/on_master.yaml b/.github/workflows/on_master.yaml
index d5db015a..82dee8ee 100644
--- a/.github/workflows/on_master.yaml
+++ b/.github/workflows/on_master.yaml
@@ -11,6 +11,9 @@ concurrency:
   group: release
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   doc_checks:
     name: Doc checks
@@ -21,6 +24,10 @@ jobs:
     if: startsWith(github.event.head_commit.message, 'docs')
     name: Doc release
     needs: [doc_checks]
+    permissions:
+      contents: write
+      pages: write
+      id-token: write
     uses: ./.github/workflows/_release_docs.yaml
     with:
       # Use the same ref as the one that triggered the workflow.
@@ -64,6 +71,8 @@ jobs:
   changelog_update:
     name: Changelog update
     needs: [release_prepare]
+    permissions:
+      contents: write
     uses: apify/workflows/.github/workflows/python_bump_and_update_changelog.yaml@main
     with:
       version_number: ${{ needs.release_prepare.outputs.version_number }}
@@ -95,6 +104,10 @@ jobs:
   doc_release_post_publish:
     name: Doc release post publish
     needs: [changelog_update, pypi_publish]
+    permissions:
+      contents: write
+      pages: write
+      id-token: write
     uses: ./.github/workflows/_release_docs.yaml
     with:
       # Use the ref from the changelog update to include the updated changelog.
diff --git a/.github/workflows/on_pull_request.yaml b/.github/workflows/on_pull_request.yaml
index ff191cd7..a13e725f 100644
--- a/.github/workflows/on_pull_request.yaml
+++ b/.github/workflows/on_pull_request.yaml
@@ -4,6 +4,10 @@ on:
   # Runs whenever a pull request is opened or updated.
   pull_request:
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   pr_title_check:
     name: PR title check