diff --git a/.github/workflows/bootstrap.yaml b/.github/workflows/bootstrap.yaml
index eedde2ec..30e6218a 100644
--- a/.github/workflows/bootstrap.yaml
+++ b/.github/workflows/bootstrap.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   github:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/e2e-arm64.yaml b/.github/workflows/e2e-arm64.yaml
index 53fb7650..15b77503 100644
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@@ -5,6 +5,9 @@ on:
   push:
     branches: [ main, update-components ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     # Hosted on Equinix
diff --git a/.github/workflows/e2e-azure.yaml b/.github/workflows/e2e-azure.yaml
index def42188..d3db6d61 100644
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@@ -7,6 +7,9 @@ on:
   push:
     branches: [ azure* ]
 
+permissions:
+  contents: read
+
 jobs:
   e2e:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 29af71d6..ef68a19f 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main, oci ]
 
+permissions:
+  contents: read
+
 jobs:
   kind:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-manifests.yml b/.github/workflows/release-manifests.yml
index 178f3642..9ccc419a 100644
--- a/.github/workflows/release-manifests.yml
+++ b/.github/workflows/release-manifests.yml
@@ -5,10 +5,12 @@ on:
   workflow_dispatch:
 
 permissions:
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read
 
 jobs:
+  permissions:
+    id-token: write # needed for keyless signing
+    packages: write # needed for ghcr access
   build-push:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index cc969451..099a6827 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,6 +11,10 @@ permissions:
 
 jobs:
   goreleaser:
+    permissions: # TODO: Segment these jobs to minimize which actions are recieving escalated perms
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index 54b8b3e0..cad18be7 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -10,7 +10,6 @@ on:
 
 permissions:
   contents: read # for actions/checkout to fetch code
-  security-events: write # for codeQL to write security events
 
 jobs:
   fossa:
@@ -50,6 +49,8 @@ jobs:
           sarif_file: snyk.sarif
 
   codeql:
+    permissions:
+      security-events: write # for codeQL to write security events
     name: CodeQL
     runs-on: ubuntu-latest
     if: github.actor != 'dependabot[bot]'
diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml
index c9d4fb16..cac03dea 100644
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -7,6 +7,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   update-components:
     runs-on: ubuntu-latest