diff --git a/.github/workflows/ci-docs-shim.yaml b/.github/workflows/ci-docs-shim.yaml
index 080db8b..2b4f7f4 100644
--- a/.github/workflows/ci-docs-shim.yaml
+++ b/.github/workflows/ci-docs-shim.yaml
@@ -8,6 +8,10 @@ on:
     branches: [main]
     types: [milestoned, opened, synchronize]
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 jobs:
   validate:
     strategy:
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index 90a8315..50fe1a5 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -8,6 +8,10 @@ on:
     branches: [main]
     types: [milestoned, opened, edited, synchronize]
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 jobs:
   validate:
     uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@f0164622ffc2007e96a0e1deaa3f5064db04b148 # v1.1.0
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 4c67d49..e3994e6 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -3,6 +3,10 @@
 
 name: Lint
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 on:
   # This workflow is triggered on pull requests to the main branch.
   pull_request: