diff --git a/.github/workflows/commit-to-main.yml b/.github/workflows/commit-to-main.yml
index a6c7f6c14..100598154 100644
--- a/.github/workflows/commit-to-main.yml
+++ b/.github/workflows/commit-to-main.yml
@@ -1,7 +1,7 @@
 name: Main branch tests
 
-# read-all permissions are required for the scorecard job
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   push:
@@ -15,11 +15,24 @@ jobs:
   scorecard:
     uses: ./.github/workflows/scorecard.yml
     secrets: inherit
+    # complete list of permissions keys as per
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
+    # accessed September 4, 2024
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
+      actions: read
+      attestations: read
+      checks: read
+      contents: read
+      deployments: read
       id-token: write
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: write
+      statuses: read
 
   basic-downstream:
     uses: ./.github/workflows/downstream-basic.yml
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 5e7abd4cf..41776b6e6 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -1,7 +1,7 @@
 name: Pull request tests
 
-# read-all permissions are required for the scorecard job
-permissions: read-all
+permissions:
+  contents: read
 
 on: pull_request
 
@@ -22,8 +22,21 @@ jobs:
     needs: basic-checks
     uses: ./.github/workflows/scorecard.yml
     secrets: inherit
+    # complete list of permissions keys as per
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
+    # accessed September 4, 2024
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
+      actions: read
+      attestations: read
+      checks: read
+      contents: read
+      deployments: read
       id-token: write
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: write
+      statuses: read
diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
index cd290afc5..e1bf8fd94 100644
--- a/.github/workflows/weekly.yml
+++ b/.github/workflows/weekly.yml
@@ -1,7 +1,7 @@
 name: Weekly tests
 
-# read-all permissions are required for the scorecard job
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   schedule:
@@ -14,11 +14,24 @@ jobs:
   scorecard:
     uses: ./.github/workflows/scorecard.yml
     secrets: inherit
+    # complete list of permissions keys as per
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
+    # accessed September 4, 2024
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
+      actions: read
+      attestations: read
+      checks: read
+      contents: read
+      deployments: read
       id-token: write
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: write
+      statuses: read
 
   extended-tests:
     uses: ./.github/workflows/extended.yml