diff --git a/.github/workflows/ci-build-checks.yaml b/.github/workflows/ci-build-checks.yaml
index daa6697a9..494b5d958 100644
--- a/.github/workflows/ci-build-checks.yaml
+++ b/.github/workflows/ci-build-checks.yaml
@@ -85,11 +85,14 @@ env:
     ^\.github/problem-matchers/.*
     ^benchmarks/.*
 
+# Cancel any previously-started but still active runs on the same branch.
 concurrency:
-  # Cancel any previously-started but still active runs on the same branch.
   cancel-in-progress: true
   group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
 
+# Declare default permissions as read-only.
+permissions: read-all
+
 jobs:
   # Summary of basic strategy:
   #   1. Job "Decision" quickly determines if the rest of the workflow needs
diff --git a/.github/workflows/ci-file-checks.yaml b/.github/workflows/ci-file-checks.yaml
index 3de9a2d48..b14569b96 100644
--- a/.github/workflows/ci-file-checks.yaml
+++ b/.github/workflows/ci-file-checks.yaml
@@ -65,11 +65,14 @@ env:
   # GitHub, and you have to use Ubuntu 24 to get it.
   clang_format_ver: '18'
 
+# Cancel any previously-started but still active runs on the same branch.
 concurrency:
-  # Cancel any previously-started but still active runs on the same branch.
   cancel-in-progress: true
   group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
 
+# Declare default permissions as read-only.
+permissions: read-all
+
 jobs:
   Changes:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/ci-nightly-build-test.yaml b/.github/workflows/ci-nightly-build-test.yaml
index 2732ca175..f92a897e9 100644
--- a/.github/workflows/ci-nightly-build-test.yaml
+++ b/.github/workflows/ci-nightly-build-test.yaml
@@ -49,11 +49,14 @@ env:
     test --test_timeout=6000
     test --test_verbose_timeout_warnings
 
+# Cancel any previously-started but still active runs on the same branch.
 concurrency:
-  # Cancel any previously-started but still active runs on the same branch.
   cancel-in-progress: true
   group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
 
+# Declare default permissions as read-only.
+permissions: read-all
+
 jobs:
   Decision:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/ci-nightly-cirq-test.yaml b/.github/workflows/ci-nightly-cirq-test.yaml
index 74cccec00..486ff75fe 100644
--- a/.github/workflows/ci-nightly-cirq-test.yaml
+++ b/.github/workflows/ci-nightly-cirq-test.yaml
@@ -64,11 +64,14 @@ env:
     build --verbose_failures
     test --test_timeout=3000
 
+# Cancel any previously-started but still active runs on the same branch.
 concurrency:
-  # Cancel any previously-started but still active runs on the same branch.
   cancel-in-progress: true
   group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
 
+# Declare default permissions as read-only.
+permissions: read-all
+
 jobs:
   test-compatibility:
     name: Run TFQ tests