diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 5a2161240a..06ed3234cc 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "30 1 1,15 * *" # every 2 weeks on the 1st and the 15th of every month at 1:30 AM
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   HF_XET_HIGH_PERFORMANCE: 1
diff --git a/.github/workflows/build_docker_images.yml b/.github/workflows/build_docker_images.yml
index c38382c1be..6de59f569a 100644
--- a/.github/workflows/build_docker_images.yml
+++ b/.github/workflows/build_docker_images.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   REGISTRY: diffusers
   CI_SLACK_CHANNEL: ${{ secrets.CI_DOCKER_CHANNEL }}
@@ -23,6 +26,9 @@ jobs:
     runs-on:
       group: aws-general-8-plus
     if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3
diff --git a/.github/workflows/build_documentation.yml b/.github/workflows/build_documentation.yml
index 8098ac7625..c872c4f742 100644
--- a/.github/workflows/build_documentation.yml
+++ b/.github/workflows/build_documentation.yml
@@ -12,6 +12,9 @@ on:
       - "examples/**"
       - "docs/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@2430c1ec91d04667414e2fa31ecfc36c153ea391  # main
diff --git a/.github/workflows/build_pr_documentation.yml b/.github/workflows/build_pr_documentation.yml
index 93db74abfc..2b65bf44c2 100644
--- a/.github/workflows/build_pr_documentation.yml
+++ b/.github/workflows/build_pr_documentation.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-links:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mirror_community_pipeline.yml b/.github/workflows/mirror_community_pipeline.yml
index 73cced7c13..bf7d153097 100644
--- a/.github/workflows/mirror_community_pipeline.yml
+++ b/.github/workflows/mirror_community_pipeline.yml
@@ -20,6 +20,9 @@ on:
         required: true
         default: 'main'
 
+permissions:
+  contents: read
+
 jobs:
   mirror_community_pipeline:
     env:
diff --git a/.github/workflows/nightly_tests.yml b/.github/workflows/nightly_tests.yml
index 4bf5f88633..4819d74df1 100644
--- a/.github/workflows/nightly_tests.yml
+++ b/.github/workflows/nightly_tests.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 0 * * *" # every day at midnight
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   HF_XET_HIGH_PERFORMANCE: 1
diff --git a/.github/workflows/notify_slack_about_release.yml b/.github/workflows/notify_slack_about_release.yml
index 7751827d81..586450c600 100644
--- a/.github/workflows/notify_slack_about_release.yml
+++ b/.github/workflows/notify_slack_about_release.yml
@@ -5,6 +5,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/pr_dependency_test.yml b/.github/workflows/pr_dependency_test.yml
index e89e71de6d..1f16729efb 100644
--- a/.github/workflows/pr_dependency_test.yml
+++ b/.github/workflows/pr_dependency_test.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check_dependencies:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/pr_modular_tests.yml b/.github/workflows/pr_modular_tests.yml
index bbdb9dd327..86b6ce9fcb 100644
--- a/.github/workflows/pr_modular_tests.yml
+++ b/.github/workflows/pr_modular_tests.yml
@@ -25,6 +25,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   HF_XET_HIGH_PERFORMANCE: 1
diff --git a/.github/workflows/pr_test_fetcher.yml b/.github/workflows/pr_test_fetcher.yml
index a02a40709f..3459852208 100644
--- a/.github/workflows/pr_test_fetcher.yml
+++ b/.github/workflows/pr_test_fetcher.yml
@@ -2,6 +2,9 @@ name: Fast tests for PRs - Test Fetcher
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   OMP_NUM_THREADS: 4
diff --git a/.github/workflows/pr_torch_dependency_test.yml b/.github/workflows/pr_torch_dependency_test.yml
index 27b4483ac5..4b3184ce2c 100644
--- a/.github/workflows/pr_torch_dependency_test.yml
+++ b/.github/workflows/pr_torch_dependency_test.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check_torch_dependencies:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/push_tests.yml b/.github/workflows/push_tests.yml
index e8bf71f3a2..99db00e567 100644
--- a/.github/workflows/push_tests.yml
+++ b/.github/workflows/push_tests.yml
@@ -10,6 +10,9 @@ on:
       - "examples/**.py"
       - "tests/**.py"
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   OMP_NUM_THREADS: 8
diff --git a/.github/workflows/push_tests_fast.yml b/.github/workflows/push_tests_fast.yml
index fe6f6a265e..e88fb88d01 100644
--- a/.github/workflows/push_tests_fast.yml
+++ b/.github/workflows/push_tests_fast.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   HF_HOME: /mnt/cache
diff --git a/.github/workflows/push_tests_mps.yml b/.github/workflows/push_tests_mps.yml
index e9f06840d3..6a6825713e 100644
--- a/.github/workflows/push_tests_mps.yml
+++ b/.github/workflows/push_tests_mps.yml
@@ -3,6 +3,9 @@ name: Fast mps tests on main
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   HF_HOME: /mnt/cache
diff --git a/.github/workflows/release_tests_fast.yml b/.github/workflows/release_tests_fast.yml
index 77c31b6f8b..3e869514c5 100644
--- a/.github/workflows/release_tests_fast.yml
+++ b/.github/workflows/release_tests_fast.yml
@@ -10,6 +10,9 @@ on:
       - "v*.*.*-release"
       - "v*.*.*-patch"
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   OMP_NUM_THREADS: 8
diff --git a/.github/workflows/run_tests_from_a_pr.yml b/.github/workflows/run_tests_from_a_pr.yml
index 3e5462f510..c1284e12a1 100644
--- a/.github/workflows/run_tests_from_a_pr.yml
+++ b/.github/workflows/run_tests_from_a_pr.yml
@@ -14,6 +14,9 @@ on:
         description: 'Tests to run (e.g.: `tests/models`).'
         required: true
 
+permissions:
+  contents: read
+
 env:
   DIFFUSERS_IS_CI: yes
   IS_GITHUB_CI: "1"
diff --git a/.github/workflows/ssh-pr-runner.yml b/.github/workflows/ssh-pr-runner.yml
index d463c46cc9..96ffa3bae7 100644
--- a/.github/workflows/ssh-pr-runner.yml
+++ b/.github/workflows/ssh-pr-runner.yml
@@ -7,6 +7,9 @@ on:
         description: 'Name of the Docker image'
         required: true
 
+permissions:
+  contents: read
+
 env:
   IS_GITHUB_CI: "1"
   HF_HUB_READ_TOKEN: ${{ secrets.HF_HUB_READ_TOKEN }}
diff --git a/.github/workflows/ssh-runner.yml b/.github/workflows/ssh-runner.yml
index 4fbfad3dc7..73465ce858 100644
--- a/.github/workflows/ssh-runner.yml
+++ b/.github/workflows/ssh-runner.yml
@@ -15,6 +15,9 @@ on:
         description: 'Name of the Docker image'
         required: true
 
+permissions:
+  contents: read
+
 env:
   IS_GITHUB_CI: "1"
   HF_HUB_READ_TOKEN: ${{ secrets.HF_HUB_READ_TOKEN }}
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
index 3cf13f7bde..8eb35832bd 100644
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -3,6 +3,9 @@ on:
 
 name: Secret Leaks
 
+permissions:
+  contents: read
+
 jobs:
   trufflehog:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/typos.yml b/.github/workflows/typos.yml
index ccaa48e707..2f99fc73b6 100644
--- a/.github/workflows/typos.yml
+++ b/.github/workflows/typos.yml
@@ -3,6 +3,9 @@ name: Check typos
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/update_metadata.yml b/.github/workflows/update_metadata.yml
index 6e608883c1..e5e0984c59 100644
--- a/.github/workflows/update_metadata.yml
+++ b/.github/workflows/update_metadata.yml
@@ -7,6 +7,9 @@ on:
       - main
       - update_diffusers_metadata*
 
+permissions:
+  contents: read
+
 jobs:
   update_metadata:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/upload_pr_documentation.yml b/.github/workflows/upload_pr_documentation.yml
index e06ab79962..a97f2a9e10 100644
--- a/.github/workflows/upload_pr_documentation.yml
+++ b/.github/workflows/upload_pr_documentation.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@9ad2de8582b56c017cb530c1165116d40433f1c6  # main