diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml
index 5dbe841cb05..603448e27b7 100644
--- a/.github/workflows/ci-doctor.lock.yml
+++ b/.github/workflows/ci-doctor.lock.yml
@@ -48,7 +48,11 @@ name: "CI Failure Doctor"
     - Daily Perf Improver
     - Daily Test Coverage Improver
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  issues: read
+  pull-requests: read
 
 concurrency:
   group: "gh-aw-${{ github.workflow }}"
@@ -521,7 +525,11 @@ jobs:
   agent:
     needs: activation
     runs-on: ubuntu-latest
-    permissions: read-all
+    permissions:
+      actions: read
+      contents: read
+      issues: read
+      pull-requests: read
     concurrency:
       group: "gh-aw-copilot-${{ github.workflow }}"
     env:
diff --git a/.github/workflows/ci-doctor.md b/.github/workflows/ci-doctor.md
index d544f4f286b..a9c7adfcfa0 100644
--- a/.github/workflows/ci-doctor.md
+++ b/.github/workflows/ci-doctor.md
@@ -8,7 +8,11 @@ on:
     workflows:
     - Daily Perf Improver
     - Daily Test Coverage Improver
-permissions: read-all
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+  actions: read
 safe-outputs:
   add-comment: null
   create-issue:
diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml
index d4822c33a8f..54bf8165817 100644
--- a/.github/workflows/copilot-agent-analysis.lock.yml
+++ b/.github/workflows/copilot-agent-analysis.lock.yml
@@ -44,7 +44,11 @@ name: "Copilot Agent PR Analysis"
   - cron: 0 18 * * *
   workflow_dispatch: null
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  issues: read
+  pull-requests: read
 
 concurrency:
   group: "gh-aw-${{ github.workflow }}"
@@ -122,7 +126,11 @@ jobs:
   agent:
     needs: activation
     runs-on: ubuntu-latest
-    permissions: read-all
+    permissions:
+      actions: read
+      contents: read
+      issues: read
+      pull-requests: read
     concurrency:
       group: "gh-aw-claude-${{ github.workflow }}"
     env:
diff --git a/.github/workflows/copilot-agent-analysis.md b/.github/workflows/copilot-agent-analysis.md
index 8dadb2fabf5..e317f893d6b 100644
--- a/.github/workflows/copilot-agent-analysis.md
+++ b/.github/workflows/copilot-agent-analysis.md
@@ -6,7 +6,11 @@ on:
     - cron: "0 18 * * *"
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+  actions: read
 
 engine: claude
 
diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
index 364ba461e46..0f80c704620 100644
--- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml
+++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
@@ -44,7 +44,11 @@ name: "Copilot PR Prompt Pattern Analysis"
   - cron: 0 9 * * *
   workflow_dispatch: null
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  issues: read
+  pull-requests: read
 
 concurrency:
   group: "gh-aw-${{ github.workflow }}"
@@ -122,7 +126,11 @@ jobs:
   agent:
     needs: activation
     runs-on: ubuntu-latest
-    permissions: read-all
+    permissions:
+      actions: read
+      contents: read
+      issues: read
+      pull-requests: read
     concurrency:
       group: "gh-aw-copilot-${{ github.workflow }}"
     env:
diff --git a/.github/workflows/copilot-pr-prompt-analysis.md b/.github/workflows/copilot-pr-prompt-analysis.md
index 3d625aaa2a8..1e31d19381f 100644
--- a/.github/workflows/copilot-pr-prompt-analysis.md
+++ b/.github/workflows/copilot-pr-prompt-analysis.md
@@ -6,7 +6,11 @@ on:
     - cron: "0 9 * * *"
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+  actions: read
 
 engine: copilot
 
diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml
index f2c02e7473a..ce1405ffc20 100644
--- a/.github/workflows/daily-news.lock.yml
+++ b/.github/workflows/daily-news.lock.yml
@@ -45,7 +45,12 @@ name: "Daily News"
   - cron: 0 9 * * 1-5
   workflow_dispatch: null
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  discussions: read
+  issues: read
+  pull-requests: read
 
 concurrency:
   group: "gh-aw-${{ github.workflow }}"
@@ -123,7 +128,12 @@ jobs:
   agent:
     needs: activation
     runs-on: ubuntu-latest
-    permissions: read-all
+    permissions:
+      actions: read
+      contents: read
+      discussions: read
+      issues: read
+      pull-requests: read
     concurrency:
       group: "gh-aw-copilot-${{ github.workflow }}"
     env:
diff --git a/.github/workflows/daily-news.md b/.github/workflows/daily-news.md
index 2536c4518d6..2ff4e6584c4 100644
--- a/.github/workflows/daily-news.md
+++ b/.github/workflows/daily-news.md
@@ -5,7 +5,12 @@ on:
     - cron: "0 9 * * 1-5"
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+  discussions: read
+  actions: read
 
 engine: copilot
 
diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml
index 6be0322f084..e1cd2f6df68 100644
--- a/.github/workflows/smoke-detector.lock.yml
+++ b/.github/workflows/smoke-detector.lock.yml
@@ -61,7 +61,11 @@ name: "Smoke Detector - Smoke Test Failure Investigator"
     - Smoke Copilot Firewall
     - Smoke Opencode
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  issues: read
+  pull-requests: read
 
 concurrency:
   group: "gh-aw-${{ github.workflow }}"
@@ -870,7 +874,11 @@ jobs:
   agent:
     needs: activation
     runs-on: ubuntu-latest
-    permissions: read-all
+    permissions:
+      actions: read
+      contents: read
+      issues: read
+      pull-requests: read
     concurrency:
       group: "gh-aw-claude-${{ github.workflow }}"
     env:
diff --git a/.github/workflows/smoke-detector.md b/.github/workflows/smoke-detector.md
index eea7bff1718..42cb4e16cd0 100644
--- a/.github/workflows/smoke-detector.md
+++ b/.github/workflows/smoke-detector.md
@@ -12,7 +12,11 @@ on:
     - Smoke Copilot Firewall
     - Smoke Opencode
   reaction: "eyes"
-permissions: read-all
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+  actions: read
 safe-outputs:
   add-comment:
     target: "*"
diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml
index 0b244e81d71..c509423ff4c 100644
--- a/.github/workflows/technical-doc-writer.lock.yml
+++ b/.github/workflows/technical-doc-writer.lock.yml
@@ -54,7 +54,11 @@ name: "Technical Doc Writer"
         required: true
         type: string
 
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  issues: read
+  pull-requests: read
 
 concurrency:
   group: "gh-aw-${{ github.workflow }}"
@@ -524,7 +528,11 @@ jobs:
   agent:
     needs: activation
     runs-on: ubuntu-latest
-    permissions: read-all
+    permissions:
+      actions: read
+      contents: read
+      issues: read
+      pull-requests: read
     concurrency:
       group: "gh-aw-copilot-${{ github.workflow }}"
     env:
diff --git a/.github/workflows/technical-doc-writer.md b/.github/workflows/technical-doc-writer.md
index 550be931d0f..9d98d9cab85 100644
--- a/.github/workflows/technical-doc-writer.md
+++ b/.github/workflows/technical-doc-writer.md
@@ -7,7 +7,11 @@ on:
         required: true
         type: string
 
-permissions: read-all
+permissions:
+  contents: read
+  pull-requests: read
+  issues: read
+  actions: read
 
 engine:
   id: copilot
diff --git a/.github/workflows/test-timestamp-js.md b/.github/workflows/test-timestamp-js.md
index dba20363125..5d2294dc367 100644
--- a/.github/workflows/test-timestamp-js.md
+++ b/.github/workflows/test-timestamp-js.md
@@ -1,6 +1,10 @@
 ---
 on:
   workflow_dispatch:
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
 engine: copilot
 ---