diff --git a/.github/workflows/actions-test.yml b/.github/workflows/actions-test.yml
index 13f0d3e665..c2b33af5c6 100644
--- a/.github/workflows/actions-test.yml
+++ b/.github/workflows/actions-test.yml
@@ -10,6 +10,9 @@ on:
     paths:
       - '.github/actions/upload-artifact-s3/**'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/bc-linter-tests.yml b/.github/workflows/bc-linter-tests.yml
index ed626cc391..a32db335b2 100644
--- a/.github/workflows/bc-linter-tests.yml
+++ b/.github/workflows/bc-linter-tests.yml
@@ -16,6 +16,9 @@ defaults:
   run:
     working-directory: tools/stronghold/
 
+permissions:
+  contents: read
+
 jobs:
   bc-linter-tests:
     name: BC-Linter Tests
diff --git a/.github/workflows/checkout-licensed.yml b/.github/workflows/checkout-licensed.yml
index 3b9a509a83..e7e52f7281 100644
--- a/.github/workflows/checkout-licensed.yml
+++ b/.github/workflows/checkout-licensed.yml
@@ -12,6 +12,9 @@ on:
     paths:
       - '.github/actions/checkout/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/checkout-test.yml b/.github/workflows/checkout-test.yml
index bbb283a073..7929ab93e4 100644
--- a/.github/workflows/checkout-test.yml
+++ b/.github/workflows/checkout-test.yml
@@ -17,6 +17,9 @@ on:
 # these refer to "test-data" branches on this actions/checkout repo.
 # (For example, test-data/v2/basic -> https://github.com/actions/checkout/tree/test-data/v2/basic)
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cross-repo-ci-relay-tests.yml b/.github/workflows/cross-repo-ci-relay-tests.yml
index 82d56d193d..296cab7074 100644
--- a/.github/workflows/cross-repo-ci-relay-tests.yml
+++ b/.github/workflows/cross-repo-ci-relay-tests.yml
@@ -16,6 +16,9 @@ defaults:
   run:
     working-directory: aws/lambda/cross_repo_ci_relay/
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/lambda-runner-binaries-syncer.yml b/.github/workflows/lambda-runner-binaries-syncer.yml
index 759303305f..829a62b2fb 100644
--- a/.github/workflows/lambda-runner-binaries-syncer.yml
+++ b/.github/workflows/lambda-runner-binaries-syncer.yml
@@ -8,6 +8,9 @@ on:
       - .github/workflows/lambda-runner-binaries-syncer.yml
       - "terraform-aws-github-runner/modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: "Run tests for runner binaries syncer lambda"
diff --git a/.github/workflows/lambda-runners.yml b/.github/workflows/lambda-runners.yml
index 22db0aae40..a3f5af1ea6 100644
--- a/.github/workflows/lambda-runners.yml
+++ b/.github/workflows/lambda-runners.yml
@@ -8,6 +8,9 @@ on:
       - .github/workflows/lambda-runners.yml
       - "terraform-aws-github-runner/modules/runners/lambdas/runners/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: "Run tests for runners lambda"
diff --git a/.github/workflows/lambda-webhook.yml b/.github/workflows/lambda-webhook.yml
index d418c8d1a1..2c1a14fb53 100644
--- a/.github/workflows/lambda-webhook.yml
+++ b/.github/workflows/lambda-webhook.yml
@@ -8,6 +8,9 @@ on:
       - .github/workflows/lambda-webhook.yml
       - "terraform-aws-github-runner/modules/webhook/lambdas/webhook/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: "Run tests for webhook lambda"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index d7b307594f..a5ae0362f3 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.event_name == 'workflow_dispatch' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lintrunner:
     name: lintrunner
diff --git a/.github/workflows/scale_config_validation.yml b/.github/workflows/scale_config_validation.yml
index 0c39fc26cc..a58f20cb8c 100644
--- a/.github/workflows/scale_config_validation.yml
+++ b/.github/workflows/scale_config_validation.yml
@@ -10,6 +10,9 @@ on:
       - .github/scale-config.yml
       - .github/scripts/validate_scale_config.py
 
+permissions:
+  contents: read
+
 jobs:
   scale-config-validation:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-binary-size-validation.yml b/.github/workflows/test-binary-size-validation.yml
index b5f3cf4020..e5443998aa 100644
--- a/.github/workflows/test-binary-size-validation.yml
+++ b/.github/workflows/test-binary-size-validation.yml
@@ -7,6 +7,9 @@ on:
       - tools/binary_size_validation/binary_size_validation.py
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-binary-size-validation:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-export-matrix-variables.yml b/.github/workflows/test-export-matrix-variables.yml
index a2f89af8ec..11007fd16d 100644
--- a/.github/workflows/test-export-matrix-variables.yml
+++ b/.github/workflows/test-export-matrix-variables.yml
@@ -6,6 +6,9 @@ on:
       - .github/workflows/test-export-matrix-variables.yml
       - .github/actions/export-matrix-variables/*
 
+permissions:
+  contents: read
+
 jobs:
   test-linux:
     uses: ./.github/workflows/linux_job_v2.yml
diff --git a/.github/workflows/test-setup-miniconda.yml b/.github/workflows/test-setup-miniconda.yml
index 24492bb1b8..085dd6b630 100644
--- a/.github/workflows/test-setup-miniconda.yml
+++ b/.github/workflows/test-setup-miniconda.yml
@@ -7,6 +7,9 @@ on:
       - .github/actions/check-disk-space/*
       - .github/actions/setup-miniconda/*
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
diff --git a/.github/workflows/test-setup-nvidia.yml b/.github/workflows/test-setup-nvidia.yml
index 2dbdaa87cc..7d98f0b924 100644
--- a/.github/workflows/test-setup-nvidia.yml
+++ b/.github/workflows/test-setup-nvidia.yml
@@ -7,6 +7,9 @@ on:
       - .github/actions/setup-nvidia/action.yml
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
diff --git a/.github/workflows/test-setup-python.yml b/.github/workflows/test-setup-python.yml
index 987f7006f3..e329c61fb6 100644
--- a/.github/workflows/test-setup-python.yml
+++ b/.github/workflows/test-setup-python.yml
@@ -6,6 +6,9 @@ on:
       - .github/actions/setup-python/*
       - .github/workflows/test-setup-python.yml
 
+permissions:
+  contents: read
+
 jobs:
   setup-python-job:
     runs-on: macos-m1-stable
diff --git a/.github/workflows/test-setup-uv.yml b/.github/workflows/test-setup-uv.yml
index 2f58d40d9d..b7675c3de9 100644
--- a/.github/workflows/test-setup-uv.yml
+++ b/.github/workflows/test-setup-uv.yml
@@ -7,6 +7,9 @@ on:
       - .github/actions/setup-uv/action.yml
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
diff --git a/.github/workflows/test-validate-domain-library.yml b/.github/workflows/test-validate-domain-library.yml
index d713464537..4285040d8e 100644
--- a/.github/workflows/test-validate-domain-library.yml
+++ b/.github/workflows/test-validate-domain-library.yml
@@ -7,6 +7,9 @@ on:
       - .github/workflows/test-validate-domain-library.yml
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-validate-domain-library:
     uses: ./.github/workflows/validate-domain-library.yml
diff --git a/.github/workflows/test_linux_job.yml b/.github/workflows/test_linux_job.yml
index 300e6c9e53..738e63e6d8 100644
--- a/.github/workflows/test_linux_job.yml
+++ b/.github/workflows/test_linux_job.yml
@@ -9,6 +9,9 @@ on:
       - .github/scripts/run_with_env_secrets.py
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-secrets-no-filter-var:
     uses: ./.github/workflows/linux_job.yml
diff --git a/.github/workflows/test_macos_job.yml b/.github/workflows/test_macos_job.yml
index 70b4fc2310..1a79dc3dcc 100644
--- a/.github/workflows/test_macos_job.yml
+++ b/.github/workflows/test_macos_job.yml
@@ -8,6 +8,9 @@ on:
       - .github/scripts/run_with_env_secrets.py
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-m1:
     uses: ./.github/workflows/macos_job.yml
diff --git a/.github/workflows/test_windows_job.yml b/.github/workflows/test_windows_job.yml
index 59a4693396..283fa9c9cb 100644
--- a/.github/workflows/test_windows_job.yml
+++ b/.github/workflows/test_windows_job.yml
@@ -7,6 +7,9 @@ on:
       - .github/workflows/test_windows_job.yml
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-cpu:
     uses: ./.github/workflows/windows_job.yml
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 27122fa7ac..74f7c3f7fc 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -13,6 +13,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test-tools:
     name: Test tools
diff --git a/.github/workflows/torchci.yml b/.github/workflows/torchci.yml
index 70db681f07..be54885c14 100644
--- a/.github/workflows/torchci.yml
+++ b/.github/workflows/torchci.yml
@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/trigger_nightly.yml b/.github/workflows/trigger_nightly.yml
index 3793facf3d..6c1323e833 100644
--- a/.github/workflows/trigger_nightly.yml
+++ b/.github/workflows/trigger_nightly.yml
@@ -27,6 +27,10 @@ on:
           - torchcomms
           - torchforge
           - all
+
+permissions:
+  contents: read
+
 jobs:
   trigger:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trigger_nightly_core.yml b/.github/workflows/trigger_nightly_core.yml
index 3ad2c494bc..fdc78226f7 100644
--- a/.github/workflows/trigger_nightly_core.yml
+++ b/.github/workflows/trigger_nightly_core.yml
@@ -6,6 +6,9 @@ on:
     - cron: 30 7 * * *
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   trigger:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate-pypi-wheel-binary-size.yml b/.github/workflows/validate-pypi-wheel-binary-size.yml
index c9547ada01..40cee2762a 100644
--- a/.github/workflows/validate-pypi-wheel-binary-size.yml
+++ b/.github/workflows/validate-pypi-wheel-binary-size.yml
@@ -17,6 +17,9 @@ on:
     # At 2:30 pm UTC (7:30 am PDT)
     - cron: "30 14 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   pypi-binary-size-validation:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate-repackaged-binary-sizes.yml b/.github/workflows/validate-repackaged-binary-sizes.yml
index 06cdd602cb..4656b57054 100644
--- a/.github/workflows/validate-repackaged-binary-sizes.yml
+++ b/.github/workflows/validate-repackaged-binary-sizes.yml
@@ -18,6 +18,9 @@ on:
       - .github/workflows/validate-repackaged-binary-sizes.yml
       - release/pypi/prep_binary_for_pypi.sh
 
+permissions:
+  contents: read
+
 jobs:
   generate-linux-matrix:
     uses: ./.github/workflows/generate_binary_build_matrix.yml