diff --git a/.github/workflows/auto-add-issues-to-project.yml b/.github/workflows/auto-add-issues-to-project.yml
index ebdfd52a6c6..55182ed8d86 100644
--- a/.github/workflows/auto-add-issues-to-project.yml
+++ b/.github/workflows/auto-add-issues-to-project.yml
@@ -3,6 +3,10 @@ on:
   issues:
     types:
       - opened
+
+permissions: 
+  contents: read
+
 jobs:
   track_issue:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index c41cef1fa95..b73baa4c238 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions: 
+  contents: read
+
 env:
   fossa-key: 9e722f2c8904586d61f97f0bf05a99e4 # This is a public key only for pushing, it's safe here
 
diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml
index 78f6c1df510..759dbcf6e2b 100644
--- a/.github/workflows/main-build.yml
+++ b/.github/workflows/main-build.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - main
+permissions: 
+  contents: read
+
 jobs:
   build:
     name: build
diff --git a/.github/workflows/nightly-e2e.yml b/.github/workflows/nightly-e2e.yml
index a5e8576400b..03be53ad95c 100644
--- a/.github/workflows/nightly-e2e.yml
+++ b/.github/workflows/nightly-e2e.yml
@@ -3,6 +3,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions: 
+  contents: read
+
 jobs:
   validate:
     uses: kedacore/keda/.github/workflows/template-main-e2e-test.yml@main
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
index adb7dfba753..f93b91a2721 100644
--- a/.github/workflows/pr-validation.yml
+++ b/.github/workflows/pr-validation.yml
@@ -75,6 +75,9 @@ jobs:
         if: always()
 
   validate-dockerfiles:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     name: validate-dockerfiles - ${{ matrix.name }}
     runs-on: ${{ matrix.runner }}
     container: ghcr.io/kedacore/keda-tools:1.23.3
@@ -106,6 +109,9 @@ jobs:
         run: make docker-build
 
   validate-dev-container:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     name: Validate dev-container - ${{ matrix.name }}
     runs-on: ${{ matrix.runner }}
     container: ghcr.io/kedacore/keda-tools:1.23.3
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index eddc263b73f..f0c5900e1a5 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -3,6 +3,10 @@ on:
   push:
     tags:
       - "v*"
+
+permissions:  
+  contents: read
+
 jobs:
   build:
     name: Push Release
diff --git a/.github/workflows/static-analysis-codeql.yml b/.github/workflows/static-analysis-codeql.yml
index 55c0635ff47..7ac631053af 100644
--- a/.github/workflows/static-analysis-codeql.yml
+++ b/.github/workflows/static-analysis-codeql.yml
@@ -5,6 +5,9 @@ on:
     branches: ["main"]
   pull_request: {}
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/template-smoke-tests.yml b/.github/workflows/template-smoke-tests.yml
index 587c19cf66d..5d211a3ff5e 100644
--- a/.github/workflows/template-smoke-tests.yml
+++ b/.github/workflows/template-smoke-tests.yml
@@ -12,6 +12,10 @@ on:
       kindImage:
         required: true
         type: string
+
+permissions:  
+  contents: read
+
 jobs:
   smoke-tests:
     name: Validate k8s-${{ inputs.kubernetesVersion }}
diff --git a/.github/workflows/template-trivy-scan.yml b/.github/workflows/template-trivy-scan.yml
index 642a59ae017..f60cf01e60a 100644
--- a/.github/workflows/template-trivy-scan.yml
+++ b/.github/workflows/template-trivy-scan.yml
@@ -31,6 +31,9 @@ on:
         required: true
         type: boolean
 
+permissions:  
+  contents: read
+
 jobs:
   trivy-scan:
     name: Trivy - ${{ inputs.runs-on }} - ${{ inputs.scan-type }} ${{ inputs.image-ref }}
diff --git a/.github/workflows/v1-build.yml b/.github/workflows/v1-build.yml
index 3bad2a9bbdd..052928f0a34 100644
--- a/.github/workflows/v1-build.yml
+++ b/.github/workflows/v1-build.yml
@@ -3,6 +3,10 @@ on:
   push:
     branches:
       - v1
+
+permissions:  
+  contents: read
+
 jobs:
   validate:
     name: Validate