diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 47b863f28c..90e2d7042f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,12 +15,18 @@ on:
     - reopened
     - synchronize
 
+permissions:
+  contents: read
+
 env:
   GOLANGCI_LINT_VERSION: 'v1.54.2'
   NFPM_VERSION: 'v2.32.0'
 
 jobs:
   lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Lint
     runs-on: ubuntu-22.04
     steps:
diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
index 339afa7142..30a7b2f616 100644
--- a/.github/workflows/label-pr.yml
+++ b/.github/workflows/label-pr.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize]
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   label-pr:
     permissions:
diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
index 8381a0fac9..2baf31db42 100644
--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -22,6 +22,9 @@ on:
 
 jobs:
   update-draft:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Update Release
     runs-on: ubuntu-22.04
     steps: