diff --git a/.github/workflows/build-k3s.yaml b/.github/workflows/build-k3s.yaml
index d9201df19448..9233b782ec7f 100644
--- a/.github/workflows/build-k3s.yaml
+++ b/.github/workflows/build-k3s.yaml
@@ -8,6 +8,9 @@ on:
       required: false
       default: false
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/cgroup.yaml b/.github/workflows/cgroup.yaml
index 5bae805d8933..32d078ff6118 100644
--- a/.github/workflows/cgroup.yaml
+++ b/.github/workflows/cgroup.yaml
@@ -19,6 +19,10 @@ on:
       - ".github/**"
       - "!.github/workflows/cgroup.yaml"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+  
 jobs:
   prep:
     name: "Prepare"
diff --git a/.github/workflows/epic.yaml b/.github/workflows/epic.yaml
index 0e07c8b53ae2..42779e75871d 100644
--- a/.github/workflows/epic.yaml
+++ b/.github/workflows/epic.yaml
@@ -2,10 +2,16 @@ name: Update epics
 on:
   issues:
     types: [opened, closed, reopened]
+
+permissions:
+  contents: read
+  
 jobs:
   epics:
     runs-on: ubuntu-latest
     name: Update epic issues
+    permissions:
+      issues: read | write
     steps:
       - name: Run epics action
         uses: cloudaper/epics-action@v1
diff --git a/.github/workflows/install.yaml b/.github/workflows/install.yaml
index 237ff33f4880..59aec67ac4b5 100644
--- a/.github/workflows/install.yaml
+++ b/.github/workflows/install.yaml
@@ -12,6 +12,10 @@ on:
       - "install.sh"
       - "tests/install/**"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+  
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
index 7703fdf4a0b0..612b1163a359 100644
--- a/.github/workflows/integration.yaml
+++ b/.github/workflows/integration.yaml
@@ -19,6 +19,10 @@ on:
       - ".github/**"
       - "!.github/workflows/integration.yaml"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+  
 jobs:
   build:
     uses: ./.github/workflows/build-k3s.yaml
diff --git a/.github/workflows/nightly-install.yaml b/.github/workflows/nightly-install.yaml
index a1969f987a85..9e77b13a17cb 100644
--- a/.github/workflows/nightly-install.yaml
+++ b/.github/workflows/nightly-install.yaml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: "0 0 * * 1-5"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Smoke Test"
diff --git a/.github/workflows/snapshotter.yaml b/.github/workflows/snapshotter.yaml
index 3a6744d855a5..e5a6f49d5513 100644
--- a/.github/workflows/snapshotter.yaml
+++ b/.github/workflows/snapshotter.yaml
@@ -19,6 +19,10 @@ on:
       - ".github/**"
       - "!.github/workflows/snapshotter.yaml"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   prep:
     name: "Prepare"
diff --git a/.github/workflows/unitcoverage.yaml b/.github/workflows/unitcoverage.yaml
index 8cd14c47fd11..c5fa2907c235 100644
--- a/.github/workflows/unitcoverage.yaml
+++ b/.github/workflows/unitcoverage.yaml
@@ -21,6 +21,10 @@ on:
       - ".github/**"
       - "!.github/workflows/unitcoverage.yaml"
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Unit Tests
diff --git a/.github/workflows/updatecli.yml b/.github/workflows/updatecli.yaml
similarity index 100%
rename from .github/workflows/updatecli.yml
rename to .github/workflows/updatecli.yaml