diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 04d426d091..3dfb79ddc9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,9 @@ name: Build
 # Run this Build for all pushes / PRs to current branch
 on: [push, pull_request]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 64303ca8bb..350fea6c34 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -12,6 +12,9 @@ on:
       - 'dspace-**'
   pull_request:
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   docker:
     # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace-angular'
diff --git a/.github/workflows/issue_opened.yml b/.github/workflows/issue_opened.yml
index 631bb4836d..5d7c1c30f7 100644
--- a/.github/workflows/issue_opened.yml
+++ b/.github/workflows/issue_opened.yml
@@ -5,6 +5,7 @@ on:
   issues:
     types: [opened]
 
+permissions: {}
 jobs:
   automation:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/label_merge_conflicts.yml b/.github/workflows/label_merge_conflicts.yml
index fcecf9ad33..a840a4fd17 100644
--- a/.github/workflows/label_merge_conflicts.yml
+++ b/.github/workflows/label_merge_conflicts.yml
@@ -11,13 +11,14 @@ on:
   pull_request_target:
     types: [ synchronize ]
 
+permissions: {}
+
 jobs:
   triage:
     # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace-angular'
     if: github.repository == 'dspace/dspace-angular'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
       pull-requests: write
     steps:
       # See: https://github.com/prince-chrismc/label-merge-conflicts-action