diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index e8b96514f..17f451fd6 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,8 +2,14 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   triage:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     steps:
     - uses: actions/labeler@v4
diff --git a/.github/workflows/size-labeler.yml b/.github/workflows/size-labeler.yml
index f04024fa3..4c54d827f 100644
--- a/.github/workflows/size-labeler.yml
+++ b/.github/workflows/size-labeler.yml
@@ -4,8 +4,13 @@ name: size-labeler
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   size-labeler:
+    permissions:
+      pull-requests: write  # for codelytv/pr-size-labeler to add labels & comment on PRs
     runs-on: ubuntu-latest
     name: Label the PR size
     steps:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index a63518f69..da732a7e0 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,9 +4,15 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
 
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e0c2f15c7..8cdae3fc6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,9 +7,15 @@ on:
 env:
   GO111MODULE: on
 
+permissions:
+  contents: read
+
 jobs:
 
   golangci-lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     runs-on: ubuntu-latest
     steps: