diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 229cbb9f..b0bf2112 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -227,6 +227,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-24.04
     permissions:
+      # same as global permission
+      contents: read
       # required to write sarif report
       security-events: write
     steps:
@@ -372,6 +374,8 @@ jobs:
     runs-on: ubuntu-24.04
     if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }}
     permissions:
+      # same as global permission
+      contents: read
       # required to write sarif report
       security-events: write
     needs:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fe687f9a..9631b1b3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,6 +23,7 @@ jobs:
   codeql:
     runs-on: ubuntu-24.04
     permissions:
+      contents: read
       actions: read
       security-events: write
     steps:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index a5bff97e..c1b73a15 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -20,6 +20,9 @@ jobs:
   labeler:
     runs-on: ubuntu-latest
     permissions:
+      # same as global permission
+      contents: read
+      # required for writing labels
       pull-requests: write
     steps:
       -