diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 13c92d4378f..d8e70e5cda8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/git-sync.yml b/.github/workflows/git-sync.yml
index 3be59dee2e9..ca3c11bfbb7 100644
--- a/.github/workflows/git-sync.yml
+++ b/.github/workflows/git-sync.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   git-sync:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-smithy-gradle-plugin.yml b/.github/workflows/update-smithy-gradle-plugin.yml
index 46e34d0da01..b4dd2132fa2 100644
--- a/.github/workflows/update-smithy-gradle-plugin.yml
+++ b/.github/workflows/update-smithy-gradle-plugin.yml
@@ -6,6 +6,10 @@ on:
     # Runs every wednesday at 11
     - cron:  '0 11 * * WED'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   get-version:
     runs-on: ubuntu-latest