diff --git a/.dockerignore b/.dockerignore
index 6e3e40a645a..0e5dacaad96 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -22,3 +22,4 @@ packages/web
 
 # Ignore generated credentials from google-github-actions/auth
 gha-creds-*.json
+
diff --git a/.github/workflows/celo-monorepo.yml b/.github/workflows/celo-monorepo.yml
index 08f724242f2..cb9ca18efdb 100644
--- a/.github/workflows/celo-monorepo.yml
+++ b/.github/workflows/celo-monorepo.yml
@@ -40,6 +40,9 @@ env:
 #  with:
 #    limit-access-to-actor: true
 
+permissions:
+  contents: read
+
 jobs:
   install-dependencies:
     name: Install dependencies
diff --git a/.github/workflows/containers.yaml b/.github/workflows/containers.yaml
index 9d3b3819140..856340303de 100644
--- a/.github/workflows/containers.yaml
+++ b/.github/workflows/containers.yaml
@@ -14,6 +14,9 @@ on:
       - 'packages/celotool/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   changed-files:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/protocol-devchain.yml b/.github/workflows/protocol-devchain.yml
index 8e5b269c18f..0b4cc11e909 100644
--- a/.github/workflows/protocol-devchain.yml
+++ b/.github/workflows/protocol-devchain.yml
@@ -7,6 +7,9 @@ on:
     - cron: 0 0 1 * *
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   generate-protocol-devchain:
     name: Generate protocol devchain used in celo-monorepo.yml workflow
diff --git a/.github/workflows/protocol_tests.yml b/.github/workflows/protocol_tests.yml
index d7bb9d5b9e5..bb48f61b38a 100644
--- a/.github/workflows/protocol_tests.yml
+++ b/.github/workflows/protocol_tests.yml
@@ -13,6 +13,9 @@ env:
   FOUNDRY_CACHE_KEY: 2
   ANVIL_PORT: 8546
 
+permissions:
+  contents: read
+
 jobs:
   check:
     defaults:
diff --git a/.github/workflows/publish-contracts-abi-release.yml b/.github/workflows/publish-contracts-abi-release.yml
index e7f4e7158a6..43d550f0c36 100644
--- a/.github/workflows/publish-contracts-abi-release.yml
+++ b/.github/workflows/publish-contracts-abi-release.yml
@@ -16,6 +16,10 @@ on:
         description: 'NPM TAG e.g. alpha, pre-merge (default: canary) '
         required: true
         type: string
+
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ['self-hosted', 'org', 'npm-publish']
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index c59032a7f25..5a74941c611 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,6 +9,9 @@ on:
   schedule:
   - cron: '40 14 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   stale: