8 files changed, 24 insertions, 5 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 718035199..0c68ab650 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,9 +14,9 @@ permissions:
 jobs:
   analyze:
     permissions:
-      actions: read # for github/codeql-action/init to get workflow details
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/autobuild to send a status report
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     name: Analyze
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/go.fmt.yml b/.github/workflows/go.fmt.yml
index 866b0c269..410464f8c 100644
--- a/.github/workflows/go.fmt.yml
+++ b/.github/workflows/go.fmt.yml
@@ -4,9 +4,13 @@ on:
   schedule:
     - cron: '22 10 * * 1'
 
+permissions: read-all
+
 jobs:
   fix:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
diff --git a/.github/workflows/go.tidy.yml b/.github/workflows/go.tidy.yml
index 3f7082474..9e264c0c5 100644
--- a/.github/workflows/go.tidy.yml
+++ b/.github/workflows/go.tidy.yml
@@ -4,9 +4,13 @@ on:
   schedule:
     - cron: '22 10 * * 3'
 
+permissions: read-all
+
 jobs:
   fix:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Install Go
         uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
diff --git a/.github/workflows/make.doc.yml b/.github/workflows/make.doc.yml
index b605b1208..4dbb42b77 100644
--- a/.github/workflows/make.doc.yml
+++ b/.github/workflows/make.doc.yml
@@ -4,9 +4,13 @@ on:
   schedule:
     - cron: '22 10 * * 0'
 
+permissions: read-all
+
 jobs:
   fix:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
index b8b6f014e..0ff9d2c75 100644
--- a/.github/workflows/reviewdog.yml
+++ b/.github/workflows/reviewdog.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   gofmt:
     name: Go Fmt
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index b96ed6827..fd9c7c4c0 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,8 +9,8 @@ permissions:
 jobs:
   stale:
     permissions:
-      issues: write # for actions/stale to close stale issues
-      pull-requests: write # for actions/stale to close stale PRs
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@7fb802b3079a276cf3c7e6ba9aa003c665b3f838
diff --git a/.github/workflows/whitespace.yml b/.github/workflows/whitespace.yml
index f454300d5..9d1da08ca 100644
--- a/.github/workflows/whitespace.yml
+++ b/.github/workflows/whitespace.yml
@@ -4,9 +4,13 @@ on:
   schedule:
     - cron: '22 10 * * 2'
 
+permissions: read-all
+
 jobs:
   fix:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml
index eaedd4b61..287db986a 100644
--- a/.github/workflows/yamllint.yml
+++ b/.github/workflows/yamllint.yml
@@ -1,6 +1,7 @@
 name: 'Yamllint GitHub Actions'
 on:
   - pull_request
+permissions: read-all
 jobs:
   yamllint:
     name: 'Yamllint'