diff --git a/.github/workflows/branch-preview.yaml b/.github/workflows/branch-preview.yaml
index 55a8f1b6..e2a95cbc 100644
--- a/.github/workflows/branch-preview.yaml
+++ b/.github/workflows/branch-preview.yaml
@@ -7,8 +7,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Least-privilege root (CIS GHA 1.2). Tag-pushing / deploy jobs grant
+# `contents: write` per-job below: `publish-sc-preview` (welder deploy),
+# `publish-git-tag` (git push tag), and `finalize` (notify/comment).
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   prepare:
@@ -276,6 +279,8 @@ jobs:
     # Does not need docker-build — SC binary publishing is independent of the Docker image.
     # Runs in parallel with publish-git-tag.
     needs: [prepare, build-setup, build-platforms, test]
+    permissions:
+      contents: write  # welder deploy reads release artifacts + updates dist
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
@@ -328,6 +333,8 @@ jobs:
     # Only needs docker-build — the tag must point to a commit referencing a published Docker image.
     # Does not need build-platforms or publish-sc-preview. Runs in parallel with publish-sc-preview.
     needs: [prepare, docker-build]
+    permissions:
+      contents: write  # commits the release branch + pushes the preview tag
     # GH_TOKEN must be visible to every step that runs git (checkout, commit,
     # push) because `gh auth setup-git` installs `gh auth git-credential` as
     # the credential helper — and that helper reads $GH_TOKEN from the
diff --git a/.github/workflows/branch.yaml b/.github/workflows/branch.yaml
index 1fc332b6..e6a0cdfe 100644
--- a/.github/workflows/branch.yaml
+++ b/.github/workflows/branch.yaml
@@ -15,8 +15,11 @@ on:
       - 'main'
       - 'staging'
 
+# Least-privilege root: every job inherits read-only unless it explicitly
+# grants more (CIS GHA 1.2). Only `finalize` actually needs `contents: write`
+# (sticky comment / notify), and it grants that itself further down.
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   build-setup:
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
index 50261f9d..8016ae72 100644
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -10,8 +10,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
 
+# Least-privilege root (CIS GHA 1.2). Only `docker-finalize` (welder
+# tag-release + deploy) and `finalize` (notify) need `contents: write`;
+# both grant it per-job below.
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   prepare:
@@ -364,6 +367,8 @@ jobs:
     name: Docker finalize (tag-release, deploy)
     runs-on: blacksmith-8vcpu-ubuntu-2204
     needs: [prepare, build-setup, build-platforms, build-binaries, build-github-actions-staging, test, build-docs, docker-build]
+    permissions:
+      contents: write  # `welder run tag-release` pushes the release git tag
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with: