diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml
index f7dec0050c..acbbc83e8d 100644
--- a/.github/workflows/changelog.yaml
+++ b/.github/workflows/changelog.yaml
@@ -1,4 +1,9 @@
 name: "Ensure labels"
+
+permissions:
+  contents: read
+  pull-requests: read
+
 on: # yamllint disable-line rule:truthy
   pull_request:
     types:
diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
index 62ac7c766f..93ea91cab2 100644
--- a/.github/workflows/prepare_release.yml
+++ b/.github/workflows/prepare_release.yml
@@ -1,5 +1,9 @@
 name: Prepare release
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7b7fa7b2a2..21637a8fee 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,6 +1,10 @@
 # Copied from https://github.com/hashicorp/terraform-provider-scaffolding/blob/master/.github/workflows/release.yml
 name: release
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
   pull_request:
     types: [closed]
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 2f071f7d90..83d4e1f0d4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: Run Tests
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/test_integration.yml b/.github/workflows/test_integration.yml
index d75efc9927..6e00a31650 100644
--- a/.github/workflows/test_integration.yml
+++ b/.github/workflows/test_integration.yml
@@ -1,5 +1,8 @@
 name: Run Integration Tests
 
+permissions:
+  contents: read
+
 on: # yamllint disable-line rule:truthy
   pull_request:
     types: