diff --git a/.github/workflows/build-and-test-linux.yml b/.github/workflows/build-and-test-linux.yml
index da34d50df2..335a244221 100644
--- a/.github/workflows/build-and-test-linux.yml
+++ b/.github/workflows/build-and-test-linux.yml
@@ -16,7 +16,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: read
 
 jobs:
   build:
diff --git a/.github/workflows/dispatch-build-and-test.yml b/.github/workflows/dispatch-build-and-test.yml
index 755f9dd00d..7fbec14cc5 100644
--- a/.github/workflows/dispatch-build-and-test.yml
+++ b/.github/workflows/dispatch-build-and-test.yml
@@ -10,7 +10,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: read
 
 jobs:
   # Using a matrix to dispatch to the build-and-test reusable workflow for each build configuration
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 5d7ad0b6b0..02464dd633 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -59,6 +59,7 @@ jobs:
     name: NVRTC CUDA${{matrix.cuda}} C++${{matrix.std}}
     permissions:
       id-token: write
+      contents: read
     needs: compute-matrix
     if: ${{ !contains(github.event.head_commit.message, 'skip-tests') }}
     uses: ./.github/workflows/run-as-coder.yml
@@ -77,6 +78,7 @@ jobs:
     name: Thrust CUDA${{ matrix.cuda_version }} ${{ matrix.compiler }}
     permissions:
       id-token: write
+      contents: read
     needs: compute-matrix
     uses: ./.github/workflows/dispatch-build-and-test.yml
     strategy:
@@ -94,6 +96,7 @@ jobs:
     name: CUB CUDA${{ matrix.cuda_version }} ${{ matrix.compiler }}
     permissions:
       id-token: write
+      contents: read
     needs: compute-matrix
     uses: ./.github/workflows/dispatch-build-and-test.yml
     strategy:
@@ -111,6 +114,7 @@ jobs:
     name: libcudacxx CUDA${{ matrix.cuda_version }} ${{ matrix.compiler }}
     permissions:
       id-token: write
+      contents: read
     needs: compute-matrix
     uses: ./.github/workflows/dispatch-build-and-test.yml
     strategy:
@@ -128,6 +132,7 @@ jobs:
     name: ${{matrix.lib}} ${{matrix.cpu}}/CTK${{matrix.cuda}}/clang-cuda
     permissions:
       id-token: write
+      contents: read
     needs: compute-matrix
     strategy:
       fail-fast: false
@@ -145,6 +150,7 @@ jobs:
     name: CCCL Infrastructure
     permissions:
       id-token: write
+      contents: read
     needs: compute-matrix
     if: ${{ !contains(github.event.head_commit.message, 'skip-tests') }}
     strategy:
diff --git a/.github/workflows/run-as-coder.yml b/.github/workflows/run-as-coder.yml
index 292ff15162..9b97f141ec 100644
--- a/.github/workflows/run-as-coder.yml
+++ b/.github/workflows/run-as-coder.yml
@@ -16,7 +16,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: read
 
 jobs:
   run-as-coder: