diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 58c5e520f..7075f6405 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,8 +14,9 @@ on:
      - release/**
 
 permissions:
-    contents: read
-    checks: write
+  contents: read
+  checks: write
+  actions: write
 
 jobs:
   build_linux:
diff --git a/.github/workflows/ci_release.yml b/.github/workflows/ci_release.yml
index 125bdbbb5..cd576ad8c 100644
--- a/.github/workflows/ci_release.yml
+++ b/.github/workflows/ci_release.yml
@@ -6,6 +6,10 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+"
       - "v[0-9]+.[0-9]+.[0-9]+-beta.*"
 
+permissions:
+  contents: read
+  actions: write
+
 env:
   ARCHIVE_PREFIX: com.espressif.idf.update-
   ARCHIVE_SUFFIX: -SNAPSHOT.zip
diff --git a/.github/workflows/ci_uploads.yml b/.github/workflows/ci_uploads.yml
index b3ad4b55e..b900829a4 100644
--- a/.github/workflows/ci_uploads.yml
+++ b/.github/workflows/ci_uploads.yml
@@ -12,6 +12,9 @@ on:
     paths:
       - 'internal/com.espressif.idf.uploads/**'
 
+permissions:
+  contents: read
+
 jobs:
   upload-file:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci_windows.yml b/.github/workflows/ci_windows.yml
index 3d35841b9..b04558266 100644
--- a/.github/workflows/ci_windows.yml
+++ b/.github/workflows/ci_windows.yml
@@ -14,8 +14,8 @@ on:
      - release/**
 
 permissions:
-     contents: read
-     checks: write
+  contents: read
+  checks: write
 
 jobs:
   build_windows:
diff --git a/.github/workflows/docs_build.yml b/.github/workflows/docs_build.yml
index 8e895e186..21a4bde62 100644
--- a/.github/workflows/docs_build.yml
+++ b/.github/workflows/docs_build.yml
@@ -13,6 +13,10 @@ on:
     - 'docs/**'
     - '.github/workflows/docs_build.yml'
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
 
   build-docs:
diff --git a/.github/workflows/docs_production.yml b/.github/workflows/docs_production.yml
index 7960ef853..5856852b7 100644
--- a/.github/workflows/docs_production.yml
+++ b/.github/workflows/docs_production.yml
@@ -10,7 +10,10 @@ on:
     paths:
     - 'docs/**'
     - '.github/workflows/docs_production.yml'
- 
+
+permissions:
+  contents: read
+
 jobs:
 
   deploy-prod-docs:
diff --git a/.github/workflows/issue_comment.yml b/.github/workflows/issue_comment.yml
index c1dea82fd..8c63e1064 100644
--- a/.github/workflows/issue_comment.yml
+++ b/.github/workflows/issue_comment.yml
@@ -3,6 +3,10 @@ name: Sync issue comments to JIRA
 # This workflow will be triggered when new issue comment is created (including PR comments)
 on: issue_comment
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   sync_issue_comments_to_jira:
     name: Sync Issue Comments to Jira
diff --git a/.github/workflows/new_issues.yml b/.github/workflows/new_issues.yml
index 77da5d0f6..39f495735 100644
--- a/.github/workflows/new_issues.yml
+++ b/.github/workflows/new_issues.yml
@@ -5,8 +5,9 @@ on:
     types: [opened, edited]
 
 permissions:
-  issues: write
   contents: read
+  issues: write
+  actions: write
 
 jobs:
   sync_issues_to_jira:
diff --git a/.github/workflows/new_prs.yml b/.github/workflows/new_prs.yml
index d51749ef1..c10ce8e2b 100644
--- a/.github/workflows/new_prs.yml
+++ b/.github/workflows/new_prs.yml
@@ -6,6 +6,10 @@ on:
   schedule:
     - cron: "0 * * * *"
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   sync_prs_to_jira:
     name: Sync PRs to Jira
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index b62a4dd4d..f1c55ab65 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -7,6 +7,10 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   build:
     runs-on: macos-latest
diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
index 4c938dd76..67f21da5c 100644
--- a/.github/workflows/pr-comment.yml
+++ b/.github/workflows/pr-comment.yml
@@ -3,6 +3,11 @@ on:
   workflow_run:
     workflows: [CI]
     types: [completed]
+
+permissions:
+  actions: read
+  issues: write
+
 jobs:
   pr_comment:
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 48bdc0fa2..75392880c 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -1,8 +1,11 @@
 name: Conventional Commits Check
 
 on:
-    pull_request:
-        branches: [ master ]
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
 
 jobs:
   precommit:
diff --git a/.github/workflows/update-site-test.yml b/.github/workflows/update-site-test.yml
index 6835417a9..fdf8a97c3 100644
--- a/.github/workflows/update-site-test.yml
+++ b/.github/workflows/update-site-test.yml
@@ -14,6 +14,9 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-site-tests:
     runs-on: [self-hosted, eclipse, BrnoUBU0004]