diff --git a/.github/workflows/ci-label-check.yml b/.github/workflows/ci-label-check.yml
index 943d9135ed6..0fd32fbd4fd 100644
--- a/.github/workflows/ci-label-check.yml
+++ b/.github/workflows/ci-label-check.yml
@@ -10,6 +10,9 @@ on:
       - labeled
       - unlabeled
 
+permissions:  
+  contents: read
+
 jobs:
   check-label:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index 0ec85a7d21b..33cd2bd0855 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -8,13 +8,14 @@ on:
   workflow_dispatch:
 
 # See https://github.com/jaegertracing/jaeger/issues/4017
-# and https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
 permissions:
-  deployments: write
-  contents: write
+  contents: read
 
 jobs:
   publish-release:
+    permissions:
+      contents: write
+      deployments: write
     if: github.repository == 'jaegertracing/jaeger'
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/ci-unit-tests-go-tip.yml b/.github/workflows/ci-unit-tests-go-tip.yml
index a19ddad55ed..e3bcadbb238 100644
--- a/.github/workflows/ci-unit-tests-go-tip.yml
+++ b/.github/workflows/ci-unit-tests-go-tip.yml
@@ -4,13 +4,13 @@ on:
   push:
     branches: [main]
 
-# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions:
   contents: read
-  checks: write
 
 jobs:
   unit-tests-go-tip:
+    permissions:
+      checks: write
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
diff --git a/.github/workflows/ci-unit-tests.yml b/.github/workflows/ci-unit-tests.yml
index 857a6d30cea..aa9961533c9 100644
--- a/.github/workflows/ci-unit-tests.yml
+++ b/.github/workflows/ci-unit-tests.yml
@@ -11,13 +11,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ (github.event.pull_request && github.event.pull_request.number) || github.ref || github.run_id }}
   cancel-in-progress: true
 
-# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions:
   contents: read
-  checks: write
 
 jobs:
   unit-tests:
+    permissions:
+      checks: write    
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner