diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 4bc7be1c..9dbf2a70 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,5 +1,8 @@
 name: lint
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index 184a3fc0..9d71729b 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -1,4 +1,7 @@
 name: PR Labeler
+permissions:
+  contents: read
+  pull-requests: write
 on:
   pull_request:
     types: [opened]
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index eec6a016..a8904daa 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -8,6 +8,9 @@ on:
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
     steps:
       - name: Update release draft
         uses: release-drafter/release-drafter@v7
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c1a7c00d..0fd3b6e1 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: test
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push: