diff --git a/.github/workflows/aws-lc-fips.yml b/.github/workflows/aws-lc-fips.yml
index cb758c6a3..b7a5dbd3a 100644
--- a/.github/workflows/aws-lc-fips.yml
+++ b/.github/workflows/aws-lc-fips.yml
@@ -5,6 +5,9 @@ on:
     - cron: "0 0 * * 4"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: ./.github/workflows/aws-lc-template.yml
diff --git a/.github/workflows/aws-lc.yml b/.github/workflows/aws-lc.yml
index 1e4125712..bed888b91 100644
--- a/.github/workflows/aws-lc.yml
+++ b/.github/workflows/aws-lc.yml
@@ -5,6 +5,9 @@ on:
     - cron: "0 0 * * 4"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: ./.github/workflows/aws-lc-template.yml
diff --git a/.github/workflows/illumos.yml b/.github/workflows/illumos.yml
index 18284e415..7105e7459 100644
--- a/.github/workflows/illumos.yml
+++ b/.github/workflows/illumos.yml
@@ -5,12 +5,13 @@ on:
     - cron: "0 0 25 * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gcc:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v5
diff --git a/.github/workflows/netbsd.yml b/.github/workflows/netbsd.yml
index 1c31aa968..834011eaf 100644
--- a/.github/workflows/netbsd.yml
+++ b/.github/workflows/netbsd.yml
@@ -5,12 +5,13 @@ on:
     - cron: "0 0 25 * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   gcc:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v5
diff --git a/.github/workflows/quic-interop-aws-lc.yml b/.github/workflows/quic-interop-aws-lc.yml
index 718ebbe8c..a6e82788d 100644
--- a/.github/workflows/quic-interop-aws-lc.yml
+++ b/.github/workflows/quic-interop-aws-lc.yml
@@ -9,13 +9,13 @@ on:
   schedule:
     - cron: "0 0 * * 2"
 
+permissions:
+  contents: read
 
 jobs:
   combined-build-and-run:
     runs-on: ubuntu-24.04
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
 
     steps:
       - uses: actions/checkout@v5
diff --git a/.github/workflows/quic-interop-libressl.yml b/.github/workflows/quic-interop-libressl.yml
index 6c5d23d98..c40564709 100644
--- a/.github/workflows/quic-interop-libressl.yml
+++ b/.github/workflows/quic-interop-libressl.yml
@@ -9,13 +9,13 @@ on:
   schedule:
     - cron: "0 0 * * 2"
 
+permissions:
+  contents: read
 
 jobs:
   combined-build-and-run:
     runs-on: ubuntu-24.04
     if: ${{ github.repository_owner == 'haproxy' || github.event_name == 'workflow_dispatch' }}
-    permissions:
-      contents: read
 
     steps:
       - uses: actions/checkout@v5