diff --git a/.github/workflows/approved_status.yml b/.github/workflows/approved_status.yml
index 1d1422c772..11fe488dc0 100644
--- a/.github/workflows/approved_status.yml
+++ b/.github/workflows/approved_status.yml
@@ -1,5 +1,9 @@
 name: Send PR Approval Status
 
+permissions: 
+  contents: read
+  pull-requests: write
+
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 6dd28dcc4c..9fa9b771b5 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -1,4 +1,9 @@
 name: "Ensure labels"
+
+permissions:
+  contents: read
+  pull-requests: read
+
 on: # yamllint disable-line rule:truthy
   pull_request:
     types:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 25d0f8e743..5c2247c209 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,5 +1,9 @@
 name: "CodeQL"
 
+permissions: 
+  contents: read
+  checks: write
+
 on:
   push:
     branches: [ "master" ]
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 9f9d92a28d..45b93b3eb6 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,5 +1,8 @@
 name: docs
 
+permissions: 
+  contents: write
+
 on:
   push:
     branches:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index bbbd1d357a..fc9bdfac0c 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -1,4 +1,9 @@
 name: "Pull Request Labeler"
+
+permissions: 
+  contents: read
+  pull-requests: write
+
 on:
   - pull_request
 
diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
index f0427e99a0..0343e5291e 100644
--- a/.github/workflows/prepare_release.yml
+++ b/.github/workflows/prepare_release.yml
@@ -1,5 +1,9 @@
 name: Prepare release
 
+permissions: 
+  contents: write
+  pull-requests: write
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index deba2d125a..048943bf08 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,5 +1,10 @@
 name: Publish
 
+permissions: 
+  contents: write
+  attestations: write
+  pull-requests: write
+
 on:
   release:
     types:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3df7311486..e58bb85fac 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,9 @@
 name: Release
 
+permissions: 
+  contents: write
+  pull-requests: write
+
 on:
   pull_request:
     types: [closed]
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index be633ce9ab..e0c08fcb4a 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,6 +1,12 @@
 # Configuration for https://github.com/actions/stale
 
 name: "Stale issues and pull requests"
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
 on:
   schedule:
     - cron: "0 0 * * *"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1a8c34f10f..c53d4383d9 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: Run Tests
 
+permissions: 
+  contents: read
+
 env:
   GIT_AUTHOR_EMAIL: "packages@datadoghq.com"
   GIT_AUTHOR_NAME: "ci.datadog-api-spec"
diff --git a/.github/workflows/test_integration.yml b/.github/workflows/test_integration.yml
index dd1a6487fb..b086b144f5 100644
--- a/.github/workflows/test_integration.yml
+++ b/.github/workflows/test_integration.yml
@@ -1,5 +1,8 @@
 name: Run Integration Tests
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: