diff --git a/.github/workflows/aws-lambda-java-core.yml b/.github/workflows/aws-lambda-java-core.yml
index c8064513..b1bed919 100644
--- a/.github/workflows/aws-lambda-java-core.yml
+++ b/.github/workflows/aws-lambda-java-core.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-core/**'
       - '.github/workflows/aws-lambda-java-core.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-events-sdk-transformer.yml b/.github/workflows/aws-lambda-java-events-sdk-transformer.yml
index 285848a9..1f1f0887 100644
--- a/.github/workflows/aws-lambda-java-events-sdk-transformer.yml
+++ b/.github/workflows/aws-lambda-java-events-sdk-transformer.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-events-sdk-transformer/**'
       - '.github/workflows/aws-lambda-java-events-sdk-transformer.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-events.yml b/.github/workflows/aws-lambda-java-events.yml
index b3b360b4..2d101018 100644
--- a/.github/workflows/aws-lambda-java-events.yml
+++ b/.github/workflows/aws-lambda-java-events.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-events/**'
       - '.github/workflows/aws-lambda-java-events.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-log4j2.yml b/.github/workflows/aws-lambda-java-log4j2.yml
index 03718e60..e9f6a56c 100644
--- a/.github/workflows/aws-lambda-java-log4j2.yml
+++ b/.github/workflows/aws-lambda-java-log4j2.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-log4j2/**'
       - '.github/workflows/aws-lambda-java-log4j2.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-serialization.yml b/.github/workflows/aws-lambda-java-serialization.yml
index b2700e08..13b7e08b 100644
--- a/.github/workflows/aws-lambda-java-serialization.yml
+++ b/.github/workflows/aws-lambda-java-serialization.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-serialization/**'
       - '.github/workflows/aws-lambda-java-serialization.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/aws-lambda-java-tests.yml b/.github/workflows/aws-lambda-java-tests.yml
index 1b818014..720c52c1 100644
--- a/.github/workflows/aws-lambda-java-tests.yml
+++ b/.github/workflows/aws-lambda-java-tests.yml
@@ -14,6 +14,9 @@ on:
       - 'aws-lambda-java-tests/**'
       - '.github/workflows/aws-lambda-java-tests.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml
index 300341c1..2d97bc86 100644
--- a/.github/workflows/repo-sync.yml
+++ b/.github/workflows/repo-sync.yml
@@ -9,6 +9,10 @@ on:
       - '.github/workflows/repo-sync.yml'
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   repo-sync:
     name: Repo Sync
diff --git a/.github/workflows/runtime-interface-client_pr.yml b/.github/workflows/runtime-interface-client_pr.yml
index 35c6ca06..d436281b 100644
--- a/.github/workflows/runtime-interface-client_pr.yml
+++ b/.github/workflows/runtime-interface-client_pr.yml
@@ -10,6 +10,9 @@ on:
       - 'aws-lambda-java-runtime-interface-client/**'
       - '.github/workflows/runtime-interface-client_*.yml'
 
+permissions:
+  contents: read
+
 jobs:
 
   smoke-test:
diff --git a/.github/workflows/samples.yml b/.github/workflows/samples.yml
index 2b5e7833..aebb708a 100644
--- a/.github/workflows/samples.yml
+++ b/.github/workflows/samples.yml
@@ -14,6 +14,9 @@ on:
       - 'samples/**'
       - '.github/workflows/samples.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest