diff --git a/roles/collect-kubernetes-logs/tasks/main.yaml b/roles/collect-kubernetes-logs/tasks/main.yaml
index 6341a9ec6..9dc8acec1 100755
--- a/roles/collect-kubernetes-logs/tasks/main.yaml
+++ b/roles/collect-kubernetes-logs/tasks/main.yaml
@@ -7,6 +7,7 @@
   file:
     path: "{{ ansible_user_dir }}/zuul-output/logs/pods"
     state: directory
+    mode: 0755
 
 - name: Save pod descriptions
   loop: "{{ podlist.stdout_lines | default([]) }}"
@@ -27,6 +28,7 @@
   file:
     path: "{{ ansible_user_dir }}/zuul-output/logs/kubelet"
     state: directory
+    mode: 0755
 
 - name: Save kubelet logs
   shell: "journalctl -u kubelet &> {{ ansible_user_dir }}/zuul-output/logs/kubelet/kubelet.txt"
diff --git a/roles/deploy-openshift/tasks/main.yaml b/roles/deploy-openshift/tasks/main.yaml
index 5506c880e..74604f956 100644
--- a/roles/deploy-openshift/tasks/main.yaml
+++ b/roles/deploy-openshift/tasks/main.yaml
@@ -15,6 +15,7 @@
   file:
     path: "{{ ansible_user_dir }}/.kube"
     state: directory
+    mode: 0700
 
 - name: Setup zuul user kube config
   copy:
diff --git a/roles/ensure-bazelisk/tasks/main.yaml b/roles/ensure-bazelisk/tasks/main.yaml
index efe48c35a..dce2b33b9 100644
--- a/roles/ensure-bazelisk/tasks/main.yaml
+++ b/roles/ensure-bazelisk/tasks/main.yaml
@@ -7,6 +7,7 @@
   file:
     state: directory
     path: "{{ bazelisk_target | dirname }}"
+    mode: 0755
   when: bazelisk_installed.rc != 0
 
 - name: Download bazelisk
diff --git a/roles/ensure-devstack/tasks/main.yaml b/roles/ensure-devstack/tasks/main.yaml
index 46a38102e..13fda6676 100644
--- a/roles/ensure-devstack/tasks/main.yaml
+++ b/roles/ensure-devstack/tasks/main.yaml
@@ -5,6 +5,7 @@
     state: directory
     owner: "{{ ansible_user }}"
     group: "{{ ansible_user }}"
+    mode: 0755
 - name: Clone devstack
   git:
     repo: https://opendev.org/openstack/devstack
@@ -14,6 +15,7 @@
   template:
     dest: /opt/devstack/local.conf
     src: local.conf.j2
+    mode: 0644
 - name: Run devstack
   command: ./stack.sh
   args:
diff --git a/roles/ensure-kubernetes/tasks/crio.yaml b/roles/ensure-kubernetes/tasks/crio.yaml
index bede49e46..598cfafb8 100644
--- a/roles/ensure-kubernetes/tasks/crio.yaml
+++ b/roles/ensure-kubernetes/tasks/crio.yaml
@@ -30,6 +30,7 @@
       [registries.block]
       registries = []
     dest: /etc/containers/registries.conf
+    mode: 0644
   become: true
 - name: Set crio cgroup driver
   ini_file:
@@ -37,4 +38,5 @@
     section: crio.runtime
     option: cgroup_manager
     value: '"cgroupfs"'
+    mode: 0644
   become: true
diff --git a/roles/ensure-nodejs/tasks/main.yaml b/roles/ensure-nodejs/tasks/main.yaml
index 86a246e66..3a3715ffb 100644
--- a/roles/ensure-nodejs/tasks/main.yaml
+++ b/roles/ensure-nodejs/tasks/main.yaml
@@ -13,6 +13,7 @@
   copy:
     src: 00-nodesource.pref
     dest: /etc/apt/preferences.d/00-nodesource.pref
+    mode: 0644
   become: yes
 
 - name: Add all repositories
diff --git a/roles/ensure-package-repositories/tasks/RedHat.yaml b/roles/ensure-package-repositories/tasks/RedHat.yaml
index 51e1225a2..cedf07a98 100644
--- a/roles/ensure-package-repositories/tasks/RedHat.yaml
+++ b/roles/ensure-package-repositories/tasks/RedHat.yaml
@@ -8,6 +8,7 @@
   copy:
     content: "{{ zj_item['data'] }}"
     dest: "{{ gpg_key_tempdir.path }}/key-{{ zj_idx }}.gpg"
+    mode: 0644
   loop: "{{ repositories_keys }}"
   loop_control:
     loop_var: zj_item
diff --git a/roles/ensure-package-repositories/tasks/Suse.yaml b/roles/ensure-package-repositories/tasks/Suse.yaml
index 1a1ea9fa3..c6f9ffa71 100644
--- a/roles/ensure-package-repositories/tasks/Suse.yaml
+++ b/roles/ensure-package-repositories/tasks/Suse.yaml
@@ -8,6 +8,7 @@
   copy:
     content: "{{ zj_item['data'] }}"
     dest: "{{ gpg_key_tempdir.path }}/key-{{ zj_idx }}.gpg"
+    mode: 0644
   loop: "{{ repositories_keys }}"
   loop_control:
     loop_var: zj_item
diff --git a/roles/ensure-phoronix-test-suite/tasks/main.yaml b/roles/ensure-phoronix-test-suite/tasks/main.yaml
index e38360f6e..982ab8cd3 100644
--- a/roles/ensure-phoronix-test-suite/tasks/main.yaml
+++ b/roles/ensure-phoronix-test-suite/tasks/main.yaml
@@ -8,11 +8,13 @@
   file:
     path: "{{ ansible_env.HOME }}/.phoronix-test-suite"
     state: directory
+    mode: 0755
 
 - name: Install config
   copy:
     src: user-config.xml
     dest: "{{ ansible_env.HOME }}/.phoronix-test-suite/user-config.xml"
+    mode: 0644
 
 - name: Ensure test results are cleaned
   file:
@@ -23,3 +25,4 @@
   file:
     path: "{{ ansible_env.HOME }}/test-results/"
     state: directory
+    mode: 0755
diff --git a/roles/ensure-terraform/tasks/install-terraform.yaml b/roles/ensure-terraform/tasks/install-terraform.yaml
index 90a702017..8f8e07474 100644
--- a/roles/ensure-terraform/tasks/install-terraform.yaml
+++ b/roles/ensure-terraform/tasks/install-terraform.yaml
@@ -40,6 +40,7 @@
   file:
     path: "{{ terraform_install_tempdir.path }}/{{ terraform_package }}"
     state: directory
+    mode: 0755
 
 - name: Unarchive terraform
   unarchive:
@@ -51,12 +52,13 @@
   file:
     path: "{{ terraform_install_dir }}"
     state: directory
+    mode: 0755
 
 - name: Install terraform
   copy:
     src: "{{ terraform_install_tempdir.path }}/{{ terraform_package }}/terraform"
     dest: "{{ terraform_install_dir }}/terraform"
-    mode: '0755'
+    mode: 0755
     owner: "{{ ansible_user }}"
     remote_src: yes
 
diff --git a/roles/ensure-zookeeper/tasks/main.yaml b/roles/ensure-zookeeper/tasks/main.yaml
index f5f53d229..692b68097 100644
--- a/roles/ensure-zookeeper/tasks/main.yaml
+++ b/roles/ensure-zookeeper/tasks/main.yaml
@@ -8,6 +8,7 @@
   file:
     path: /tmp/zookeeper
     state: directory
+    mode: 0755
   become: true
 
 - name: Get and extract Zookeeper
@@ -29,6 +30,7 @@
     src: /opt/zookeeper/conf/zoo_sample.cfg
     dest: /opt/zookeeper/conf/zoo.cfg
     remote_src: true
+    mode: 0644
   become: true
 
 - name: Ensure Zookeeper not running