diff --git a/.github/workflows/acceptance-test.yml b/.github/workflows/acceptance-test.yml
index e3339642a..c031024c6 100644
--- a/.github/workflows/acceptance-test.yml
+++ b/.github/workflows/acceptance-test.yml
@@ -10,6 +10,9 @@ on:
   # Runs against the default branch every day at midnight
   - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   get-go-version:
     runs-on: ubuntu-latest
@@ -56,6 +59,8 @@ jobs:
           PACKER_ACC=1 gotestsum --format=short-verbose --junitfile /tmp/test-results/gotestsum-report.xml -- -timeout=120m -p 2 $(go list ./... | grep -v inspec | grep -v profitbricks | grep -v oneandone)
   # Send a slack notification if either job defined above fails
   slack-notify:
+    permissions:
+      contents: none
     needs: 
       - get-go-version
       - acceptance-test
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 061280c9c..bb6e5b881 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -7,8 +7,13 @@ on:
       - closed
       - labeled
 
+permissions:
+  contents: read
+
 jobs:
   backport:
+    permissions:
+      contents: none
     if: github.event.pull_request.merged
     runs-on: ubuntu-latest
     container: hashicorpdev/backport-assistant:0.2.3
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d2d69d705..564561b58 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,6 +12,9 @@ env:
   REPO_NAME: "packer"
   GO_TAGS: ""
 
+permissions:
+  contents: read
+
 jobs:
   get-go-version:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-plugin-docs.yml b/.github/workflows/check-plugin-docs.yml
index 80251e913..8de9ca1f8 100644
--- a/.github/workflows/check-plugin-docs.yml
+++ b/.github/workflows/check-plugin-docs.yml
@@ -15,6 +15,9 @@ on:
   schedule:
     - cron: "45 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   check-plugin-docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml
index 8e1b790e2..a7f2c6313 100644
--- a/.github/workflows/go-test.yml
+++ b/.github/workflows/go-test.yml
@@ -10,6 +10,9 @@ on: [ workflow_dispatch, push ]
 env:
   PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   linux-go-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/go-validate.yml b/.github/workflows/go-validate.yml
index 598ca2104..2f2dfda04 100644
--- a/.github/workflows/go-validate.yml
+++ b/.github/workflows/go-validate.yml
@@ -6,6 +6,9 @@ name: "Go Validate"
 
 on: [ workflow_dispatch, push ]
 
+permissions:
+  contents: read
+
 jobs:
   check-mod-tidy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/issue-comment-created.yml b/.github/workflows/issue-comment-created.yml
index 041efb1cd..72ca61e92 100644
--- a/.github/workflows/issue-comment-created.yml
+++ b/.github/workflows/issue-comment-created.yml
@@ -4,8 +4,14 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   issue_comment_triage:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      issues: write  # for actions-ecosystem/action-remove-labels to remove issue labels
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
diff --git a/.github/workflows/issues-opened.yml b/.github/workflows/issues-opened.yml
index cb3b098ca..b9304f274 100644
--- a/.github/workflows/issues-opened.yml
+++ b/.github/workflows/issues-opened.yml
@@ -2,9 +2,15 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   issue_triage:
     name: Issue Opened Triage
+    permissions:
+      contents: read
+      issues: write  # for github/issue-labeler to create or remove labels
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -25,6 +31,9 @@ jobs:
           label-operator: OR
   label-question:
     name: Redirect to discuss
+    permissions:
+      contents: read
+      issues: write  # for actions-ecosystem/action-create-comment to create comments
     if: contains(github.event.issue.labels.*.name, 'question')
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index fa43d3d9f..689e6c345 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -5,8 +5,14 @@ on:
     - cron: '50 1 * * *'
 
 # Only 50 issues will be handled during a given run.
+permissions:
+  contents: read
+
 jobs:
   lock:
+    permissions:
+      issues: write  # for dessant/lock-threads to lock issues
+      pull-requests: write  # for dessant/lock-threads to lock PRs
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/lock-threads@v3
diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml
index bf2e7c677..eeabdd4b5 100644
--- a/.github/workflows/nightly-release.yml
+++ b/.github/workflows/nightly-release.yml
@@ -17,6 +17,8 @@ on:
 jobs:
   # Build a fresh set of artifacts
   build-artifacts:
+    permissions:
+      contents: none
     uses: hashicorp/packer/.github/workflows/build.yml@main
   github-release:
     needs: build-artifacts
@@ -78,6 +80,8 @@ jobs:
           release_id: ${{ steps.create_prerelease.outputs.id }}
   # Send a slack notification if either job defined above fails
   slack-notify:
+    permissions:
+      contents: none
     needs:
       - build-artifacts
       - github-release
diff --git a/.github/workflows/pull-requests-opened.yml b/.github/workflows/pull-requests-opened.yml
index b81b12cb1..2f5d12180 100644
--- a/.github/workflows/pull-requests-opened.yml
+++ b/.github/workflows/pull-requests-opened.yml
@@ -2,6 +2,8 @@ on:
   pull_request:
     types:
       - opened
+permissions:
+  contents: read
 
 jobs:
   add-to-project: