diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index f76d86b03..eaf439e4a 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -10,6 +10,8 @@ on:
   - cron: '35 13 * * 5'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/dependency-update.yaml b/.github/workflows/dependency-update.yaml
index 7dc311a05..be021c90b 100644
--- a/.github/workflows/dependency-update.yaml
+++ b/.github/workflows/dependency-update.yaml
@@ -8,14 +8,15 @@ on:
     # once a day
     - cron: '0 0 * * *'
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   update-versions-with-renovate:
     runs-on: ubuntu-latest
     if: github.repository == 'kubernetes-sigs/external-dns'
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/gh-workflow-approve.yaml b/.github/workflows/gh-workflow-approve.yaml
index 571a17d8a..91b1c0297 100644
--- a/.github/workflows/gh-workflow-approve.yaml
+++ b/.github/workflows/gh-workflow-approve.yaml
@@ -8,6 +8,8 @@ on:
     branches:
       - master
 
+permissions: {}
+
 jobs:
   approve:
     name: Approve ok-to-test
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 0024b4feb..08b6594b1 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -4,6 +4,8 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions: {}
+
 jobs:
   lint:
     name: Markdown and Go