diff --git a/.github/workflows/assets_artifact_build.yml b/.github/workflows/assets_artifact_build.yml
index 09dbbe38..048725d0 100644
--- a/.github/workflows/assets_artifact_build.yml
+++ b/.github/workflows/assets_artifact_build.yml
@@ -1,5 +1,8 @@
 name: Build assets artifact
 
+permissions:
+    contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
index 64287d83..5b6f52fa 100644
--- a/.github/workflows/docker_build.yml
+++ b/.github/workflows/docker_build.yml
@@ -1,5 +1,8 @@
 name: Docker Image Build
 
+permissions:
+    contents: read
+
 on:
   #schedule:
   #  - cron: '0 10 * * *' # everyday at 10am
@@ -73,4 +76,4 @@ jobs:
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
           cache-from: type=gha
-          cache-to: type=gha,mode=max
\ No newline at end of file
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/docker_frankenphp.yml b/.github/workflows/docker_frankenphp.yml
index d8cd0695..876b1ce8 100644
--- a/.github/workflows/docker_frankenphp.yml
+++ b/.github/workflows/docker_frankenphp.yml
@@ -1,5 +1,8 @@
 name: Docker Image Build (FrankenPHP)
 
+permissions:
+    contents: read
+
 on:
   #schedule:
   #  - cron: '0 10 * * *' # everyday at 10am
@@ -74,4 +77,4 @@ jobs:
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
           cache-from: type=gha
-          cache-to: type=gha,mode=max
\ No newline at end of file
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/static_analysis.yml b/.github/workflows/static_analysis.yml
index 20150b28..b07508dd 100644
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@@ -1,5 +1,8 @@
 name: Static analysis
 
+permissions:
+    contents: read
+
 on:
   push:
     branches:
@@ -30,20 +33,20 @@ jobs:
       id: composer-cache
       run: |
         echo "::set-output name=dir::$(composer config cache-files-dir)"
-    
+
     - uses: actions/cache@v4
       with:
         path: ${{ steps.composer-cache.outputs.dir }}
         key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
         restore-keys: |
-          ${{ runner.os }}-composer-  
+          ${{ runner.os }}-composer-
 
     - name: Install dependencies
       run: composer install --prefer-dist --no-progress
 
     - name: Lint config files
       run: ./bin/console lint:yaml config --parse-tags
-    
+
     - name: Lint twig templates
       run: ./bin/console lint:twig templates --env=prod
 
@@ -53,13 +56,13 @@ jobs:
 
     - name: Check dependencies for security
       uses: symfonycorp/security-checker-action@v5
-    
+
     - name: Check doctrine mapping
       run: ./bin/console doctrine:schema:validate --skip-sync -vvv --no-interaction
 
     # Use the -d option to raise the max nesting level
     - name: Generate dev container
       run: php -d xdebug.max_nesting_level=1000 ./bin/console cache:clear --env dev
-    
+
     - name: Run PHPstan
       run: composer phpstan
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 1233996e..613172f4 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,5 +1,8 @@
 name: PHPUnit Tests
 
+permissions:
+    contents: read
+
 on:
   push:
     branches: