diff --git a/.github/workflows/aurora-delete.yml b/.github/workflows/aurora-delete.yml
index a2759dda6bc..db0ed1a4656 100644
--- a/.github/workflows/aurora-delete.yml
+++ b/.github/workflows/aurora-delete.yml
@@ -12,6 +12,9 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   delete:
     name: Delete Aurora DB
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1d709d6ea2d..d8f50aed4e4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,6 +22,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
 
   conditional:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b51c2bb5620..3df72b124e7 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -22,8 +22,10 @@ defaults:
   run:
     shell: bash
 
-jobs:
+permissions:
+  contents: read
 
+jobs:
   conditional:
     name: Check conditional workflows and jobs
     runs-on: ubuntu-latest
@@ -43,6 +45,8 @@ jobs:
     name: CodeQL Java
     needs: conditional
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
     if: needs.conditional.outputs.java == 'true'
     outputs:
       conclusion: ${{ steps.check.outputs.conclusion }}
@@ -69,6 +73,8 @@ jobs:
     name: CodeQL JavaScript
     needs: conditional
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
     if: needs.conditional.outputs.javascript == 'true'
     outputs:
       conclusion: ${{ steps.check.outputs.conclusion }}
@@ -94,6 +100,8 @@ jobs:
     name: CodeQL TypeScript
     needs: conditional
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
     if: needs.conditional.outputs.typescript == 'true'
     outputs:
       conclusion: ${{ steps.check.outputs.conclusion }}
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 1843f08d6e7..12e283aeb1a 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -21,6 +21,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+  
 jobs:
 
   conditional:
diff --git a/.github/workflows/guides.yml b/.github/workflows/guides.yml
index 720398a37e5..76c27fe4af3 100644
--- a/.github/workflows/guides.yml
+++ b/.github/workflows/guides.yml
@@ -21,6 +21,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
 
   conditional:
diff --git a/.github/workflows/js-ci.yml b/.github/workflows/js-ci.yml
index 43206630eee..7f1fc163a18 100644
--- a/.github/workflows/js-ci.yml
+++ b/.github/workflows/js-ci.yml
@@ -22,6 +22,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   conditional:
     name: Check conditional workflows and jobs
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
index 70597061a2f..17ba5eb7bd4 100644
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@@ -3,14 +3,15 @@ on:
   pull_request_target:
     types: closed
 
+permissions:
+  contents: read
+  
 jobs:
   label:
 
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      issues: write
-
+      issues: write # Required to add labels to Issues
     steps:
       - uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/operator-ci.yml b/.github/workflows/operator-ci.yml
index 3092840e3c2..d03d6b1ac38 100644
--- a/.github/workflows/operator-ci.yml
+++ b/.github/workflows/operator-ci.yml
@@ -23,6 +23,9 @@ concurrency:
   group: operator-ci-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   conditional:
diff --git a/.github/workflows/quarkus-next.yml b/.github/workflows/quarkus-next.yml
index ec235fbf221..0242231a75f 100644
--- a/.github/workflows/quarkus-next.yml
+++ b/.github/workflows/quarkus-next.yml
@@ -14,12 +14,16 @@ concurrency:
   group: quarkus-next-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  
 jobs:
   update-quarkus-next-branch:
     name: Update quarkus-next branch
     if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write # Required to push changes to the repository
     steps:
       - uses: actions/checkout@v4
         with:
@@ -42,6 +46,8 @@ jobs:
   run-matrix-with-quarkus-next:
     name: Run workflow matrix with the quarkus-next branch
     runs-on: ubuntu-latest
+    permissions:
+      actions: write # Required to trigger workflows using gh
     needs:
       - update-quarkus-next-branch
 
diff --git a/.github/workflows/schedule-nightly.yml b/.github/workflows/schedule-nightly.yml
index a3c93a62013..47f9396bf93 100644
--- a/.github/workflows/schedule-nightly.yml
+++ b/.github/workflows/schedule-nightly.yml
@@ -5,11 +5,15 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
-jobs:
+permissions:
+  contents: read
 
+jobs:
   setup:
     if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
     runs-on: ubuntu-latest
+    permissions:
+      actions: write # Required to trigger workflows using gh
     outputs:
       latest-release-branch: ${{ steps.latest-release.outputs.branch }}
     steps:
@@ -24,8 +28,9 @@ jobs:
   run-default-branch:
     name: Run default branch
     runs-on: ubuntu-latest
+    permissions:
+      actions: write # Required to trigger workflows using gh
     needs: setup
-
     strategy:
       matrix:
         workflow:
@@ -47,7 +52,8 @@ jobs:
     name: Run latest release branch
     needs: setup
     runs-on: ubuntu-latest
-
+    permissions:
+      actions: write # Required to trigger workflows using gh
     strategy:
       matrix:
         workflow:
diff --git a/.github/workflows/snyk-analysis.yml b/.github/workflows/snyk-analysis.yml
index 3d484338805..b9eed59af91 100644
--- a/.github/workflows/snyk-analysis.yml
+++ b/.github/workflows/snyk-analysis.yml
@@ -10,11 +10,16 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   analysis:
     name: Analysis of Quarkus and Operator
     runs-on: ubuntu-latest
     if: github.repository == 'keycloak/keycloak'
+    permissions:
+      security-events: write # Required for SARIF uploads
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml
index 66755fb217a..bc6e7221a9c 100644
--- a/.github/workflows/trivy-analysis.yml
+++ b/.github/workflows/trivy-analysis.yml
@@ -7,6 +7,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+  
 jobs:
 
   analysis:
@@ -17,6 +20,8 @@ jobs:
       matrix:
         container: [keycloak, keycloak-operator]
       fail-fast: false
+    permissions:
+      security-events: write # Required for SARIF uploads
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/.github/workflows/weblate.yml b/.github/workflows/weblate.yml
index 98c5de4c3f6..ba569f04e72 100644
--- a/.github/workflows/weblate.yml
+++ b/.github/workflows/weblate.yml
@@ -22,6 +22,9 @@ concurrency:
   group: weblate-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  
 jobs:
   update-weblate:
     name: Trigger Weblate to pull the latest changes