diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml
index 6dd28dcc4..c3454b79c 100644
--- a/.github/workflows/changelog.yaml
+++ b/.github/workflows/changelog.yaml
@@ -1,4 +1,8 @@
 name: "Ensure labels"
+
+permissions:
+  pull-requests: read
+
 on: # yamllint disable-line rule:truthy
   pull_request:
     types:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 330c87a2f..387ae5dd1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,5 +1,9 @@
 name: "CodeQL"
 
+permissions:
+  contents: read
+  checks: write
+
 on:
   push:
     branches: [ master ]
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 0bd3565ac..efe88ab83 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -1,4 +1,9 @@
 name: "Pull Request Labeler"
+
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
 - pull_request
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 8008ff16f..1898f83c6 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,5 +1,9 @@
 name: Build
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
   pull_request:
   release:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index c5291bfc5..51f9ad156 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,6 +1,12 @@
 # Configuration for https://github.com/actions/stale
 
 name: "Stale issues and pull requests"
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
 on:
   schedule:
   - cron: "0 5 * * *"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 36572d945..f86f06175 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: test
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/test_integration.yml b/.github/workflows/test_integration.yml
index cd8d494ad..152c0b500 100644
--- a/.github/workflows/test_integration.yml
+++ b/.github/workflows/test_integration.yml
@@ -1,5 +1,8 @@
 name: Run Integration Tests
 
+permissions:
+  contents: read
+
 on: # yamllint disable-line rule:truthy
   pull_request:
     types: