diff --git a/.github/workflows/dependabot-prs.yml b/.github/workflows/dependabot-prs.yml
index 2af2664bf5d..9bb7a5299c3 100644
--- a/.github/workflows/dependabot-prs.yml
+++ b/.github/workflows/dependabot-prs.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened, reopened]
 
+permissions: {}
+
 jobs:
   process-dependabot-prs:
     permissions:
diff --git a/.github/workflows/docs-linkcheck.yml b/.github/workflows/docs-linkcheck.yml
index 215add4b0b3..f97d0cbce49 100644
--- a/.github/workflows/docs-linkcheck.yml
+++ b/.github/workflows/docs-linkcheck.yml
@@ -7,6 +7,8 @@ on:
     paths:
       - .github/workflows/docs-linkcheck.yml
 
+permissions: {}
+
 jobs:
   test-sphinx-build:
     name: test-sphinx-linkcheck
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 60ab6d5a720..9a54e51ce22 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -8,10 +8,15 @@ on:
     branches:
       - master
 
+permissions: {}
+
 jobs:
   test-sphinx-build:
     name: test-sphinx-build
     runs-on: ${{matrix.os}}
+    permissions:
+      # for uploading artifacts
+      actions: write
     strategy:
       matrix:
         python-version: ['3.10']
diff --git a/.github/workflows/gha_security.yml b/.github/workflows/gha_security.yml
index c18b5aab3f7..bd7a8fafe1b 100644
--- a/.github/workflows/gha_security.yml
+++ b/.github/workflows/gha_security.yml
@@ -6,6 +6,8 @@ on:
       - master
   pull_request:
 
+permissions: {}
+
 jobs:
   zizmor:
     name: Security Analysis with zizmor
@@ -25,7 +27,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         with:
           sarif_file: results.sarif
           category: zizmor
\ No newline at end of file
diff --git a/.github/workflows/labelling.yml b/.github/workflows/labelling.yml
index 60e3744d2d5..24b01a71dfc 100644
--- a/.github/workflows/labelling.yml
+++ b/.github/workflows/labelling.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened]
 
+permissions: {}
+
 jobs:
   pre-commit-ci:
     permissions:
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index 196b2c66704..e32ece0ff4e 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -4,9 +4,15 @@ on:
   schedule:
     - cron: '8 4 * * *'
 
+permissions: {}
+
 jobs:
   lock:
     runs-on: ubuntu-latest
+    permissions:
+      # For locking the threads
+      issues: write
+      pull-requests: write
     steps:
       - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml
index a532c45349d..73ae5d8c7eb 100644
--- a/.github/workflows/release_pypi.yml
+++ b/.github/workflows/release_pypi.yml
@@ -4,12 +4,17 @@ on:
   # manually trigger the workflow
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     name: Build Distribution
     runs-on: ubuntu-latest
     outputs:
       TAG: ${{ steps.get_tag.outputs.TAG }}
+    permissions:
+      # for uploading artifacts
+      actions: write
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -46,6 +51,7 @@ jobs:
       url: https://pypi.org/p/python-telegram-bot
     permissions:
       id-token: write  # IMPORTANT: mandatory for trusted publishing
+      actions: read  # for downloading artifacts
 
     steps:
       - name: Download all the dists
@@ -64,6 +70,7 @@ jobs:
 
     permissions:
       id-token: write  # IMPORTANT: mandatory for sigstore
+      actions: write  # for up/downloading artifacts
 
     steps:
       - name: Download all the dists
@@ -100,6 +107,7 @@ jobs:
 
     permissions:
       contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      actions: read  # for downloading artifacts
 
     steps:
       - name: Download all the dists
diff --git a/.github/workflows/release_test_pypi.yml b/.github/workflows/release_test_pypi.yml
index 81564582090..b50ee80a4b1 100644
--- a/.github/workflows/release_test_pypi.yml
+++ b/.github/workflows/release_test_pypi.yml
@@ -4,12 +4,17 @@ on:
   # manually trigger the workflow
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     name: Build Distribution
     runs-on: ubuntu-latest
     outputs:
       TAG: ${{ steps.get_tag.outputs.TAG }}
+    permissions:
+      # for uploading artifacts
+      actions: write
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -46,6 +51,7 @@ jobs:
       url: https://test.pypi.org/p/python-telegram-bot
     permissions:
       id-token: write  # IMPORTANT: mandatory for trusted publishing
+      actions: read  # for downloading artifacts
 
     steps:
       - name: Download all the dists
@@ -66,6 +72,7 @@ jobs:
 
     permissions:
       id-token: write  # IMPORTANT: mandatory for sigstore
+      actions: write  # for up/downloading artifacts
 
     steps:
       - name: Download all the dists
@@ -102,6 +109,7 @@ jobs:
 
     permissions:
       contents: write  # IMPORTANT: mandatory for making GitHub Releases
+      actions: read  # for downloading artifacts
 
     steps:
       - name: Download all the dists
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 5f3af6e5be1..fdbf96cc4c4 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -3,9 +3,14 @@ on:
   schedule:
     - cron: '42 2 * * *'
 
+permissions: {}
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      # For adding labels and closing
+      issues: write
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
diff --git a/.github/workflows/test_official.yml b/.github/workflows/test_official.yml
index 38ad8b8183c..6eae5e4bcf6 100644
--- a/.github/workflows/test_official.yml
+++ b/.github/workflows/test_official.yml
@@ -11,6 +11,8 @@ on:
     # Run monday and friday morning at 03:07 - odd time to spread load on GitHub Actions
     - cron: '7 3 * * 1,5'
 
+permissions: {}
+
 jobs:
   check-conformity:
     name: check-conformity
diff --git a/.github/workflows/type_completeness.yml b/.github/workflows/type_completeness.yml
index 66b2f4f3d47..3b3f30e4873 100644
--- a/.github/workflows/type_completeness.yml
+++ b/.github/workflows/type_completeness.yml
@@ -9,6 +9,8 @@ on:
     branches:
       - master
 
+permissions: {}
+
 jobs:
   test-type-completeness:
     name:   test-type-completeness
diff --git a/.github/workflows/type_completeness_monthly.yml b/.github/workflows/type_completeness_monthly.yml
index fecf73db948..af7b6da7848 100644
--- a/.github/workflows/type_completeness_monthly.yml
+++ b/.github/workflows/type_completeness_monthly.yml
@@ -4,6 +4,8 @@ on:
     # Run first friday of the month at 03:17 - odd time to spread load on GitHub Actions
     - cron: '17 3 1-7 * 5'
 
+permissions: {}
+
 jobs:
   test-type-completeness:
     name:   test-type-completeness
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 3608bfda252..fd914bf91b4 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -14,6 +14,8 @@ on:
     # Run monday and friday morning at 03:07 - odd time to spread load on GitHub Actions
     - cron: '7 3 * * 1,5'
 
+permissions: {}
+
 jobs:
   pytest:
     name: pytest