diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml
index b71b0e9baa..530502e0f4 100644
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -6,6 +6,8 @@ on:
     types:
       - closed
 
+permissions: {}
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 78474f90e2..5a3063f197 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -6,9 +6,7 @@ on:
       - main
       - 3.x
 
-permissions:
-  pull-requests: write
-  contents: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.sha }}
@@ -19,6 +17,10 @@ jobs:
     if: github.repository_owner == 'nuxt' && !contains(github.event.head_commit.message, 'v3.') && !contains(github.event.head_commit.message, 'v4.')
     runs-on: ubuntu-latest
 
+    permissions:
+      pull-requests: write
+      contents: write
+
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
index 82ec01db92..e0469e757f 100644
--- a/.github/workflows/label-pr.yml
+++ b/.github/workflows/label-pr.yml
@@ -8,6 +8,8 @@ on:
       - main
       - 3.x
 
+permissions: {}
+
 jobs:
   add-pr-labels:
     name: Add PR labels
diff --git a/.github/workflows/notify-nuxt-bridge.yml b/.github/workflows/notify-nuxt-bridge.yml
index fa97b12b95..b1f67c0509 100644
--- a/.github/workflows/notify-nuxt-bridge.yml
+++ b/.github/workflows/notify-nuxt-bridge.yml
@@ -4,6 +4,9 @@ on:
     types: [closed]
     paths:
       - "packages/nuxt/src/app/composables/**"
+
+permissions: {}
+
 jobs:
   notify:
     if: github.event.pull_request.merged == true
diff --git a/.github/workflows/semantic-pull-requests.yml b/.github/workflows/semantic-pull-requests.yml
index a3098e6f9e..e569c4acc3 100644
--- a/.github/workflows/semantic-pull-requests.yml
+++ b/.github/workflows/semantic-pull-requests.yml
@@ -7,12 +7,12 @@ on:
       - edited
       - synchronize
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   semantic-pr:
     permissions:
+      contents: read
       pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
       statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     if: github.repository == 'nuxt/nuxt' && !startsWith(github.head_ref, 'v')