diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
index 1fc0f016f44a..299a9a9415da 100644
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@@ -8,8 +8,13 @@ on:
 env:
   CI: true
 
+permissions:
+  contents: read
+
 jobs:
   build_cli:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     runs-on: macos-11
     steps:
       - uses: actions/checkout@v2
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 8f023dbc6cc6..4c2812b6196a 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index 3fdea06cd956..abb81dad4a8a 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-insiders.yml b/.github/workflows/release-insiders.yml
index bc7b345b4434..e9661feb36fa 100644
--- a/.github/workflows/release-insiders.yml
+++ b/.github/workflows/release-insiders.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a5bb7c2f8e9f..5fa806898408 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest