diff --git a/.github/workflows/all_url_check.yml b/.github/workflows/all_url_check.yml
index 925d788..b092f96 100644
--- a/.github/workflows/all_url_check.yml
+++ b/.github/workflows/all_url_check.yml
@@ -7,6 +7,9 @@ name: all_url_check
   schedule:
     - cron: '30 2 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   run_lychee:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build_document.yml b/.github/workflows/build_document.yml
index b6c48a7..484bb5f 100644
--- a/.github/workflows/build_document.yml
+++ b/.github/workflows/build_document.yml
@@ -7,6 +7,9 @@ name: build_document
     paths-ignore:
       - 'generated/**'
 
+permissions:
+  contents: read
+
 env:
   python_version: 3.8
 
diff --git a/.github/workflows/check_shell_scripts.yml b/.github/workflows/check_shell_scripts.yml
index 5ca6a4a..c7e3741 100644
--- a/.github/workflows/check_shell_scripts.yml
+++ b/.github/workflows/check_shell_scripts.yml
@@ -5,6 +5,9 @@ name: check_shell_scripts
   workflow_dispatch:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   run_shellcheck:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/chktex.yml b/.github/workflows/chktex.yml
index b9811c0..53959fe 100644
--- a/.github/workflows/chktex.yml
+++ b/.github/workflows/chktex.yml
@@ -7,6 +7,9 @@ name: latex_linter_check
     paths-ignore:
       - 'generated/**'
 
+permissions:
+  contents: read
+
 jobs:
   run_chktex:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/md_link_check.yml b/.github/workflows/md_link_check.yml
index c70d6fa..c4af23d 100644
--- a/.github/workflows/md_link_check.yml
+++ b/.github/workflows/md_link_check.yml
@@ -3,6 +3,9 @@ name: Check Markdown links
 
 'on': [workflow_dispatch, push]
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pdf_check.yml b/.github/workflows/pdf_check.yml
index a114c71..e320866 100644
--- a/.github/workflows/pdf_check.yml
+++ b/.github/workflows/pdf_check.yml
@@ -8,6 +8,9 @@ name: pdf_check
       - 'generated/**'
       - '.github/workflows/qpdf_check.yml'
 
+permissions:
+  contents: read
+
 jobs:
   run_qpdf:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/python_test.yml b/.github/workflows/python_test.yml
index d040d67..0587c90 100644
--- a/.github/workflows/python_test.yml
+++ b/.github/workflows/python_test.yml
@@ -9,6 +9,9 @@ name: python_test
   schedule:
     - cron: '50 14 * * 4'
 
+permissions:
+  contents: read
+
 jobs:
   python_test:
     runs-on: ${{matrix.os}}
diff --git a/.github/workflows/sonarcloud_check.yml b/.github/workflows/sonarcloud_check.yml
index 55de596..bd9ee89 100644
--- a/.github/workflows/sonarcloud_check.yml
+++ b/.github/workflows/sonarcloud_check.yml
@@ -8,6 +8,9 @@ name: sonarcloud_check
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   sonarcloud:
     name: SonarCloud
diff --git a/.github/workflows/yaml_check.yml b/.github/workflows/yaml_check.yml
index 634832b..894088b 100644
--- a/.github/workflows/yaml_check.yml
+++ b/.github/workflows/yaml_check.yml
@@ -3,6 +3,9 @@ name: yaml_check
 
 'on': [workflow_dispatch, push]
 
+permissions:
+  contents: read
+
 jobs:
   run_yamllint:
     runs-on: ubuntu-latest