diff --git a/.github/workflows/backend-ci.yml b/.github/workflows/backend-ci.yml
index 66c69b5..fb92a7c 100644
--- a/.github/workflows/backend-ci.yml
+++ b/.github/workflows/backend-ci.yml
@@ -13,6 +13,8 @@ concurrency:
   group: ci-backend-pr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
 jobs:
   backend:
     name: backend checks
diff --git a/.github/workflows/cdk-synth.yml b/.github/workflows/cdk-synth.yml
index dabbeea..16ce84a 100644
--- a/.github/workflows/cdk-synth.yml
+++ b/.github/workflows/cdk-synth.yml
@@ -13,6 +13,8 @@ concurrency:
   group: ci-infra-synth-pr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
 jobs:
   synth:
     name: cdk synth (localSynth)
diff --git a/.github/workflows/frontend-cd.yml b/.github/workflows/frontend-cd.yml
index 562d79c..b00a6e3 100644
--- a/.github/workflows/frontend-cd.yml
+++ b/.github/workflows/frontend-cd.yml
@@ -2,8 +2,6 @@ name: CD - Frontend (S3 + CloudFront Deploy) [Manual]
 
 on:
     workflow_dispatch:
-
-    # Enable later (when frontend is real + you want auto deploy on merge to master)
     push:
       branches: [master]
       paths:
@@ -74,7 +72,6 @@ jobs:
                   echo "bucket_name=$BUCKET_NAME" >> "$GITHUB_OUTPUT"
                   echo "distribution_id=$DIST_ID" >> "$GITHUB_OUTPUT"
 
-            # Frontend build is placeholder for now.
             # This will only run once frontend/package.json exists.
             - name: Setup Node
               if: steps.fe.outputs.exists == 'true'
diff --git a/.github/workflows/frontend-ci.yml b/.github/workflows/frontend-ci.yml
index 7149396..7db8caf 100644
--- a/.github/workflows/frontend-ci.yml
+++ b/.github/workflows/frontend-ci.yml
@@ -13,6 +13,8 @@ concurrency:
   group: ci-frontend-pr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
 jobs:
   frontend:
     name: frontend checks