diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8c3f6437..a2b5ce6a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,16 +10,14 @@ on:
     # * At 05:00 UTC every Monday, run the latest commit on the default or base branch
     - cron: '0 5 * * MON'
 
-# Restrict jobs in this workflow to only be allowed to read this repo by default.
-#
-# If you are wanting to introduce a job/tool that requires more permissions (such
-# as posting comments or commits to the repository), then you should grant just
-# that job the necessarily permissions by giving it a dedicated `permissions` block.
-permissions:
-  contents: read # to fetch code (actions/checkout)
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
 
 jobs:
   audit_dependencies:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -28,6 +26,8 @@ jobs:
       - name: Audit dependencies for security vulnerabilities
         uses: g-rath/check-with-osv-detector@main
   test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -41,6 +41,8 @@ jobs:
       - run: yarn run format-check
 
   rubocop:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -56,6 +58,8 @@ jobs:
         run: bundle exec rubocop
 
   test_generated_apps:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       # don't stop all variants if one of them fails (we usually want to know
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 3451df64..c6cf0cf5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,15 +14,20 @@ on:
   schedule:
     - cron: '0 0 * * 0'
 
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
+
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write
 
+    name: Analyze
+    runs-on: ubuntu-latest
+
     strategy:
       fail-fast: false
       matrix:
diff --git a/variants/github_actions_ci/workflows/ci.yml.tt b/variants/github_actions_ci/workflows/ci.yml.tt
index aaaa92aa..de3ca46c 100644
--- a/variants/github_actions_ci/workflows/ci.yml.tt
+++ b/variants/github_actions_ci/workflows/ci.yml.tt
@@ -19,16 +19,14 @@ env:
   SIDEKIQ_WEB_PASSWORD: password
   <%- end -%>
 
-# Restrict jobs in this workflow to only be allowed to read this repo by default.
-#
-# If you are wanting to introduce a job/tool that requires more permissions (such
-# as posting comments or commits to the repository), then you should grant just
-# that job the necessarily permissions by giving it a dedicated `permissions` block.
-permissions:
-  contents: read # to fetch code (actions/checkout)
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
 
 jobs:
   audit_dependencies:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -37,6 +35,8 @@ jobs:
       - name: Audit dependencies for security vulnerabilities
         uses: g-rath/check-with-osv-detector@main
   js_based_checks:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
@@ -54,6 +54,8 @@ jobs:
       - run: yarn run js-lint
       - run: yarn run format-check
   ruby_based_checks:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 20
     services:
@@ -127,15 +129,15 @@ jobs:
   # ######################################################################### #
 
   # deploy_to_ec2_staging:
+  #   permissions:
+  #     id-token: write # to use OIDC (aws-actions/configure-aws-credentials)
+  #     contents: read # to fetch code (actions/checkout)
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/main'
   #   needs:
   #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_ec2.yml
-  #   permissions:
-  #     id-token: write # to use OIDC (aws-actions/configure-aws-credentials)
-  #     contents: read # to fetch code (actions/checkout)
   #   with:
   #     environment: staging
   #     environment_url: '<%= "https://#{TEMPLATE_CONFIG.staging_hostname}" %>'
@@ -145,15 +147,15 @@ jobs:
   #     ssh_private_key: ${{ secrets.STAGING_SSH_PRIVATE_KEY }}
   #     slack_webhook: ${{ secrets.SLACK_WEBHOOK }}
   # deploy_to_ec2_production:
+  #   permissions:
+  #     id-token: write # to use OIDC (aws-actions/configure-aws-credentials)
+  #     contents: read # to fetch code (actions/checkout)
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/production'
   #   needs:
   #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_ec2.yml
-  #   permissions:
-  #     id-token: write # to use OIDC (aws-actions/configure-aws-credentials)
-  #     contents: read # to fetch code (actions/checkout)
   #   with:
   #     environment: production
   #     environment_url: '<%= "https://#{TEMPLATE_CONFIG.production_hostname}" %>'
@@ -168,14 +170,14 @@ jobs:
   # ######################################################################### #
 
   # deploy_to_heroku_staging:
+  #   permissions:
+  #     contents: read # to fetch code (actions/checkout)
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/main'
   #   needs:
   #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_heroku.yml
-  #   permissions:
-  #     contents: read # to fetch code (actions/checkout)
   #   with:
   #     environment: staging
   #     environment_url: '<%= "https://#{TEMPLATE_CONFIG.staging_hostname}" %>'
@@ -185,14 +187,14 @@ jobs:
   #     heroku_app_name: ${{ secrets.HEROKU_APP_NAME_STAGING }}
   #     slack_webhook: ${{ secrets.SLACK_WEBHOOK }}
   # deploy_to_heroku_production:
+  #   permissions:
+  #     contents: read # to fetch code (actions/checkout)
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/production'
   #   needs:
   #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_heroku.yml
-  #   permissions:
-  #     contents: read # to fetch code (actions/checkout)
   #   with:
   #     environment: production
   #     environment_url: '<%= "https://#{TEMPLATE_CONFIG.production_hostname}" %>'