diff --git a/.github/workflows/buildifier.yml b/.github/workflows/buildifier.yml
index 373141f8..fb34efe1 100644
--- a/.github/workflows/buildifier.yml
+++ b/.github/workflows/buildifier.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
     branches:
     - main
+permissions:
+  contents: read
 jobs:
   bazel-formatting-check:
     uses: secretflow/.github/.github/workflows/bazel-linter.yml@main
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 926e495e..6fabd8c4 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -5,6 +5,8 @@ on:
     types: [created]
   pull_request_target:
     types: [opened, closed, synchronize]
+permissions:
+  contents: write
 jobs:
   CLAssistant:
     uses: secretflow/.github/.github/workflows/cla.yml@main
diff --git a/.github/workflows/clang-format-linter.yml b/.github/workflows/clang-format-linter.yml
index d49a73e2..d5efb2ed 100644
--- a/.github/workflows/clang-format-linter.yml
+++ b/.github/workflows/clang-format-linter.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
     branches:
     - main
+permissions:
+  contents: read
 jobs:
   run-clang-format:
     uses: secretflow/.github/.github/workflows/clang-format.yml@main
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index beef7e25..9216b2bc 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,6 +4,9 @@ on:
   workflow_dispatch:
   schedule:
     - cron: 40 9 * * *
+permissions:
+  pull-requests: write
+  issues: write
 jobs:
   stale:
     uses: secretflow/.github/.github/workflows/stale.yml@main
diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml
index 881fcb6c..8f5e07f0 100644
--- a/.github/workflows/yaml-lint.yml
+++ b/.github/workflows/yaml-lint.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
     branches:
     - main
+permissions:
+  contents: read
 jobs:
   yaml-linter:
     uses: secretflow/.github/.github/workflows/yaml-linter.yml@main