diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index db306b460ff..1ab85c40554 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,9 @@ name: build
   schedule:
     - cron: '51 2 * * 4'
 
+permissions:
+  contents: read
+
 jobs:
   fmt:
     name: cargo fmt
@@ -14,7 +17,7 @@ jobs:
     - uses: actions/checkout@v4
     - name: cargo fmt
       run: cargo fmt --all -- --check
-   
+
   clippy:
     name: cargo clippy
     runs-on: ubuntu-latest
@@ -22,7 +25,7 @@ jobs:
     - uses: actions/checkout@v4
     - name: cargo clippy
       run: cargo clippy --all --all-targets -- -D warnings
-  
+
   test:
     name: cargo test
     runs-on: ubuntu-latest
diff --git a/.github/workflows/code_ql.yml b/.github/workflows/code_ql.yml
new file mode 100644
index 00000000000..707822d15a3
--- /dev/null
+++ b/.github/workflows/code_ql.yml
@@ -0,0 +1,35 @@
+---
+name: code_ql
+
+'on':
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+  pull_request:
+  schedule:
+    - cron: '10 7 * * 1'
+
+jobs:
+  analyze_actions:
+    name: Analyze Actions
+    runs-on: 'ubuntu-latest'
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: 'actions'
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:actions"
+...
diff --git a/.github/workflows/directory_workflow.yml b/.github/workflows/directory_workflow.yml
index 6a34f58bf6b..9595c7ad8cb 100644
--- a/.github/workflows/directory_workflow.yml
+++ b/.github/workflows/directory_workflow.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   MainSequence:
     name: DIRECTORY.md
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 203cc941a5e..3e99d1d726d 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -2,8 +2,14 @@ name: 'Close stale issues and PRs'
 on:
   schedule:
     - cron: '0 0 * * *'
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v9
diff --git a/.github/workflows/upload_coverage_report.yml b/.github/workflows/upload_coverage_report.yml
index f19a34345a5..ebe347c99e4 100644
--- a/.github/workflows/upload_coverage_report.yml
+++ b/.github/workflows/upload_coverage_report.yml
@@ -9,6 +9,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   REPORT_NAME: "lcov.info"