diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index e0d99fc8..f49976b5 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -3,9 +3,14 @@ name: "Set theme labels"
 on:
   - pull_request_target
 
+permissions:
+  contents: read 
+
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/labeler@v4
         with:
diff --git a/.github/workflows/labels-verify.yml b/.github/workflows/labels-verify.yml
index 0c18ecb7..7315a905 100644
--- a/.github/workflows/labels-verify.yml
+++ b/.github/workflows/labels-verify.yml
@@ -4,9 +4,14 @@ on:
   pull_request_target:
     types: [opened, labeled, unlabeled, synchronize]
 
+permissions:
+  contents: none 
+
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - uses: baev/action-label-verify@main
         with:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 28af62d5..d34e4ba6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [ published ]
 
+permissions:
+  contents: read 
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1f8821c2..4540e572 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,9 +11,14 @@ on:
         description: "The next version in <MAJOR>.<MINOR> format WITHOUT SNAPSHOT SUFFIX"
         required: true
 
+permissions:
+  contents: read 
+
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: "Check release version"
         run: |