diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 824db09861..64806e28b6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -45,6 +45,9 @@ on:
       - '*.yml'
       - 'wxwidgets.props'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.runner }}
diff --git a/.github/workflows/ci_mac.yml b/.github/workflows/ci_mac.yml
index 59209359dd..71af0b8f0e 100644
--- a/.github/workflows/ci_mac.yml
+++ b/.github/workflows/ci_mac.yml
@@ -63,6 +63,9 @@ on:
     - '*.yml'
     - 'wxwidgets.props'
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     defaults:
diff --git a/.github/workflows/ci_mac_xcode.yml b/.github/workflows/ci_mac_xcode.yml
index af76fbbd43..f51a4e2803 100644
--- a/.github/workflows/ci_mac_xcode.yml
+++ b/.github/workflows/ci_mac_xcode.yml
@@ -63,6 +63,9 @@ on:
     - '*.yml'
     - 'wxwidgets.props'
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     defaults:
diff --git a/.github/workflows/ci_msw.yml b/.github/workflows/ci_msw.yml
index ae9ed4dbf4..5f8bb37f07 100644
--- a/.github/workflows/ci_msw.yml
+++ b/.github/workflows/ci_msw.yml
@@ -45,6 +45,9 @@ on:
       - '*.md'
       - '*.yml'
 
+permissions:
+  contents: read
+
 jobs:
   msw-msvs:
     runs-on: windows-${{ matrix.vsversion }}
diff --git a/.github/workflows/ci_msw_cross.yml b/.github/workflows/ci_msw_cross.yml
index d660264825..35dd65606e 100644
--- a/.github/workflows/ci_msw_cross.yml
+++ b/.github/workflows/ci_msw_cross.yml
@@ -49,6 +49,9 @@ on:
       - '*.yml'
       - 'wxwidgets.props'
 
+permissions:
+  contents: read
+
 jobs:
   msw-cross-build:
     # Set up this job to run in a Debian Sid container because it has recent
diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml
index 63f42bd67b..ae6118b730 100644
--- a/.github/workflows/code_checks.yml
+++ b/.github/workflows/code_checks.yml
@@ -9,6 +9,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   check-unix:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/docs_update.yml b/.github/workflows/docs_update.yml
index 8a1cf19845..29a13ba639 100644
--- a/.github/workflows/docs_update.yml
+++ b/.github/workflows/docs_update.yml
@@ -18,6 +18,9 @@ on:
   workflow_dispatch:
 
 
+permissions:
+  contents: read
+
 jobs:
   update:
     runs-on: ubuntu-20.04