diff --git a/.github/workflows/add-good-first-issue-labels.yml b/.github/workflows/add-good-first-issue-labels.yml
index 05d05caf..16a73a53 100644
--- a/.github/workflows/add-good-first-issue-labels.yml
+++ b/.github/workflows/add-good-first-issue-labels.yml
@@ -9,6 +9,9 @@ on:
     types:
       - created
 
+permissions:
+  issues: write
+
 jobs:
   add-labels:
     if: ${{(!github.event.issue.pull_request && github.event.issue.state != 'closed' && github.actor != 'asyncapi-bot') && (contains(github.event.comment.body, '/good-first-issue') || contains(github.event.comment.body, '/gfi' ))}}
diff --git a/.github/workflows/bounty-program-commands.yml b/.github/workflows/bounty-program-commands.yml
index c42e3005..d4dbb404 100644
--- a/.github/workflows/bounty-program-commands.yml
+++ b/.github/workflows/bounty-program-commands.yml
@@ -14,6 +14,9 @@ on:
     types:
       - created
 
+permissions:
+  issues: write
+
 env:
   BOUNTY_PROGRAM_LABELS_JSON: |
     [
diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml
index 6228c56f..75ab2585 100644
--- a/.github/workflows/help-command.yml
+++ b/.github/workflows/help-command.yml
@@ -8,6 +8,10 @@ on:
         types: 
             - created
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   create_help_comment_pr:
     if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '/help') && github.actor != 'asyncapi-bot' }}
@@ -64,4 +68,4 @@ jobs:
               - \`/good-first-issue {js | ts | java | go | docs | design | ci-cd}\` or \`/gfi {js | ts | java | go | docs | design | ci-cd}\` - label an issue as a \`good first issue\`.
               example: \`/gfi js\` or \`/good-first-issue ci-cd\`
               - \`/transfer-issue {repo-name}\` or \`/ti {repo-name}\` - transfer issue from the source repository to the other repository passed by the user. example: \`/ti cli\` or \`/transfer-issue cli\`.`
-            })
\ No newline at end of file
+            })
diff --git a/.github/workflows/issues-prs-notifications.yml b/.github/workflows/issues-prs-notifications.yml
index ce136286..ebf6b5b4 100644
--- a/.github/workflows/issues-prs-notifications.yml
+++ b/.github/workflows/issues-prs-notifications.yml
@@ -14,6 +14,9 @@ on:
   discussion:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   issue:
     if: github.event_name == 'issues' && github.actor != 'asyncapi-bot' && github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml
index 77aa1c6e..1f83f632 100644
--- a/.github/workflows/lint-pr-title.yml
+++ b/.github/workflows/lint-pr-title.yml
@@ -7,6 +7,9 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize, edited, ready_for_review]
 
+permissions:
+  pull-requests: write
+
 jobs:
   lint-pr-title:
     name: Lint PR title
diff --git a/.github/workflows/notify-tsc-members-mention.yml b/.github/workflows/notify-tsc-members-mention.yml
index ffa39bbc..57799fb5 100644
--- a/.github/workflows/notify-tsc-members-mention.yml
+++ b/.github/workflows/notify-tsc-members-mention.yml
@@ -25,6 +25,9 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+
 jobs:
   issue:
     if: github.event_name == 'issues' && contains(github.event.issue.body, '@asyncapi/tsc_members')
diff --git a/.github/workflows/validate-workflow-schema.yml b/.github/workflows/validate-workflow-schema.yml
index 8365e8e3..8b29edc5 100644
--- a/.github/workflows/validate-workflow-schema.yml
+++ b/.github/workflows/validate-workflow-schema.yml
@@ -7,6 +7,9 @@ on:
     paths:
       - '.github/workflows/**'
 
+permissions:
+  contents: read
+
 jobs:
   yaml-lint:
     runs-on: ubuntu-latest
@@ -69,4 +72,19 @@ jobs:
                 }
               }
             }
-            validateWorkflows();
\ No newline at end of file
+            validateWorkflows();
+
+  workflow-security:
+    name: Workflow security checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Run actionlint
+        uses: rhysd/actionlint@v1
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@v0.1.2
+        with:
+          persona: pedantic
diff --git a/.github/workflows/welcome-first-time-contrib.yml b/.github/workflows/welcome-first-time-contrib.yml
index 2614d8de..ca1a35fd 100644
--- a/.github/workflows/welcome-first-time-contrib.yml
+++ b/.github/workflows/welcome-first-time-contrib.yml
@@ -11,6 +11,10 @@ on:
     types:
       - opened
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   welcome:
     name: Post welcome message