diff --git a/.github/workflows/ci_macos.yaml b/.github/workflows/ci_macos.yaml
index 11fa622ba..9a0c30225 100644
--- a/.github/workflows/ci_macos.yaml
+++ b/.github/workflows/ci_macos.yaml
@@ -2,8 +2,7 @@ name: CI - macOS
 
 on: [pull_request, push]
 
-permissions:
-  actions: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -13,6 +12,8 @@ jobs:
   ci:
     name: Build
     runs-on: macos-latest
+    permissions:
+      actions: write
 
     strategy:
       fail-fast: false
diff --git a/.github/workflows/ci_ubuntu.yaml b/.github/workflows/ci_ubuntu.yaml
index db4536a80..6e4d88fa1 100644
--- a/.github/workflows/ci_ubuntu.yaml
+++ b/.github/workflows/ci_ubuntu.yaml
@@ -2,9 +2,7 @@ name: CI - Ubuntu
 
 on: [pull_request, push]
 
-permissions:
-  actions: write
-  security-events: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -14,6 +12,9 @@ jobs:
   ci:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      security-events: write
 
     strategy:
       fail-fast: false
diff --git a/.github/workflows/ci_webui.yaml b/.github/workflows/ci_webui.yaml
index f17920d8f..a5bc1115a 100644
--- a/.github/workflows/ci_webui.yaml
+++ b/.github/workflows/ci_webui.yaml
@@ -2,8 +2,7 @@ name: CI - WebUI
 
 on: [pull_request, push]
 
-permissions:
-  security-events: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -13,6 +12,8 @@ jobs:
   ci:
     name: Check
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
 
     defaults:
       run:
diff --git a/.github/workflows/ci_windows.yaml b/.github/workflows/ci_windows.yaml
index c7e0414f8..ce3b7de38 100644
--- a/.github/workflows/ci_windows.yaml
+++ b/.github/workflows/ci_windows.yaml
@@ -2,8 +2,7 @@ name: CI - Windows
 
 on: [pull_request, push]
 
-permissions:
-  actions: write
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -13,6 +12,8 @@ jobs:
   ci:
     name: Build
     runs-on: windows-latest
+    permissions:
+      actions: write
 
     strategy:
       fail-fast: false
diff --git a/.github/workflows/stale_bot.yaml b/.github/workflows/stale_bot.yaml
index 6cd727855..705f6a5c9 100644
--- a/.github/workflows/stale_bot.yaml
+++ b/.github/workflows/stale_bot.yaml
@@ -4,12 +4,13 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Mark and close stale PRs
         uses: actions/stale@v9