diff --git a/.github/workflows/definitions.yml b/.github/workflows/definitions.yml
index a00b60d0e..9291dcc83 100644
--- a/.github/workflows/definitions.yml
+++ b/.github/workflows/definitions.yml
@@ -3,6 +3,8 @@ on:
   schedule: [{cron: '0 */6 * * *'}] # 6hrly https://crontab.guru/#0_*/6_*_*_*
   workflow_dispatch:
 
+permissions: {contents: read}
+
 jobs:
   scrape:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c03e4899e..8852b8479 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,6 +2,8 @@ name: Release
 on:
   push: { tags: 'v[0-9]+.[0-9]+.[0-9]+*' }
 
+permissions: {contents: read}
+
 jobs:
   release:
     permissions: { contents: write, id-token: write}
diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
index 2297a54e1..8f2e71812 100644
--- a/.github/workflows/sync-default-branch.yml
+++ b/.github/workflows/sync-default-branch.yml
@@ -3,7 +3,7 @@ on:
   push: { branches: main }
   workflow_dispatch:
 
-permissions: { contents: write }
+permissions: {contents: write}
 
 jobs:
   sync:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 324c36547..959c8031e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -5,7 +5,7 @@ on:
   schedule: [{cron: '0 0 10 * *'}] # monthly https://crontab.guru/#0_0_10_*_*
   workflow_dispatch:
 
-permissions: read-all
+permissions: {contents: read}
 
 jobs:
   test:
diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
index 913a0f9d6..36301f986 100644
--- a/.github/workflows/version.yml
+++ b/.github/workflows/version.yml
@@ -3,6 +3,8 @@ on:
   schedule: [{ cron: '0 10 * * *' }] # daily: https://crontab.guru/#0_10_*_*_*
   workflow_dispatch:
 
+permissions: {contents: read}
+
 jobs:
   bump:
     runs-on: ubuntu-latest