diff --git a/.github/workflows/ci-test-website.yaml b/.github/workflows/ci-test-website.yaml
index a1b613042b6d..0907b343aca0 100644
--- a/.github/workflows/ci-test-website.yaml
+++ b/.github/workflows/ci-test-website.yaml
@@ -5,6 +5,10 @@ on:
   push:
     branches:
       - 'main'
+
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
index 4a6d1ca0b87c..59739a262532 100644
--- a/.github/workflows/ci-test.yaml
+++ b/.github/workflows/ci-test.yaml
@@ -6,6 +6,9 @@ on:
     branches:
       - 'main'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy-preview.yaml b/.github/workflows/deploy-preview.yaml
index 38d18fb8d3b2..d9729d17d70f 100644
--- a/.github/workflows/deploy-preview.yaml
+++ b/.github/workflows/deploy-preview.yaml
@@ -28,6 +28,9 @@ on:
         - '!**/*.test.ts'
         - '!**/test/**'
 
+permissions:
+  contents: read
+
 jobs:
   deploy-preview:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 33c75a4d12ba..fcf5dfc1686b 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -17,6 +17,9 @@ on:
   schedule:
     - cron: '0 0 * * *'  # Runs daily at midnight UTC
 
+permissions:
+  contents: write
+
 jobs:
   deploy-nightly:
     if: ${{ github.event.inputs.deploy_type == 'nightly' || github.event_name == 'schedule' }}
diff --git a/.github/workflows/issue-close.yaml b/.github/workflows/issue-close.yaml
index c4ed2007abb2..ad75e633ee7d 100644
--- a/.github/workflows/issue-close.yaml
+++ b/.github/workflows/issue-close.yaml
@@ -4,6 +4,9 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
+permissions:
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/issue-comment.yaml b/.github/workflows/issue-comment.yaml
index 33d49701670d..69dbeb053f6e 100644
--- a/.github/workflows/issue-comment.yaml
+++ b/.github/workflows/issue-comment.yaml
@@ -4,6 +4,9 @@ on:
   issues:
     types: [closed]
 
+permissions:
+  issues: write
+
 jobs:
   comment-on-close:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/issue-reopen.yaml b/.github/workflows/issue-reopen.yaml
index e13ac93e50c6..95c3867ae0a9 100644
--- a/.github/workflows/issue-reopen.yaml
+++ b/.github/workflows/issue-reopen.yaml
@@ -4,6 +4,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  issues: write
+
 jobs:
   reopen-issue:
     if: github.event.issue.state == 'closed'
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 2f42d35678af..5dd3df3a826a 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -5,6 +5,10 @@ on:
   push:
     branches:
       - 'main'
+
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-downport.yaml b/.github/workflows/release-downport.yaml
deleted file mode 100644
index 6520fd196704..000000000000
--- a/.github/workflows/release-downport.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-name: Release Downport
-
-on:
-  workflow_dispatch:
-    inputs:
-      release_type:
-        description: 'Release Type: use patch | minor | major or leave empty for auto'     
-        required: false
-        default: ''
-      npm_tag:
-        description: 'npm dist tag'
-        required: true
-        default: 'v1'
-
-jobs:
-  build-and-release:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        token: ${{ secrets.UI5_WEBCOMP_BOT_GH_TOKEN }}
-        fetch-depth: 0
-    - uses: actions/setup-node@v4.1.0
-      with:
-        node-version: 20
-        cache: 'yarn'
-
-    - name: Install
-      run: yarn --immutable
-
-    - name: Version Bump
-      env:
-        NPM_USERNAME: ${{ secrets.NPM_USER }}
-        NPM_EMAIL: ${{ secrets.NPM_EMAIL }}
-        NPM_AUTH_TOKEN: ${{ secrets.NPM_RELEASE_AUTH_TOKEN }}
-        GH_TOKEN: ${{ secrets.UI5_WEBCOMP_BOT_GH_TOKEN }}
-      run: |
-        npm config set //registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}
-        git config user.name "${{ secrets.UI5_WEBCOMP_BOT_NAME }}"
-        git config user.email "${{ secrets.UI5_WEBCOMP_BOT_EMAIL }}"
-        yarn lerna version ${{ github.event.inputs.release_type }} --conventional-graduate --force-conventional-graduate --yes --exact --create-release github
-
-    - name: Build
-      run: yarn ci:releasebuild
-
-    - name: Publish
-      env:
-        NPM_USERNAME: ${{ secrets.NPM_USER }}
-        NPM_EMAIL: ${{ secrets.NPM_EMAIL }}
-        NPM_AUTH_TOKEN: ${{ secrets.NPM_RELEASE_AUTH_TOKEN }}
-        GH_TOKEN: ${{ secrets.UI5_WEBCOMP_BOT_GH_TOKEN }}
-      run: yarn lerna publish from-git --yes --dist-tag ${{ github.event.inputs.npm_tag }}
\ No newline at end of file
diff --git a/.github/workflows/reset-gh-pages.yaml b/.github/workflows/reset-gh-pages.yaml
index e8feef7dd924..3de0dc2e2b37 100644
--- a/.github/workflows/reset-gh-pages.yaml
+++ b/.github/workflows/reset-gh-pages.yaml
@@ -4,6 +4,9 @@ on:
   schedule:
   - cron: "00 08 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   reset-gh-pages:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reset-preview-deploy.yaml b/.github/workflows/reset-preview-deploy.yaml
index 6f25124a7568..262791c31751 100644
--- a/.github/workflows/reset-preview-deploy.yaml
+++ b/.github/workflows/reset-preview-deploy.yaml
@@ -24,6 +24,9 @@ on:
       - '!**/*.test.ts'
       - '!**/test/**'
 
+permissions:
+  contents: read
+
 jobs:
   cleanup-preview:
     runs-on: ubuntu-latest