diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index 8c42bdc86..0522bdad5 100644
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -3,6 +3,9 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     name: Add issue to project
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fa46b3ef4..e27fd3946 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,6 +4,9 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 424ce4de2..200e8825a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '38 21 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml
index 96a5ac22c..79af44799 100644
--- a/.github/workflows/release-github.yml
+++ b/.github/workflows/release-github.yml
@@ -5,8 +5,13 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
     name: Release Notation Binaries
     runs-on: ubuntu-20.04
     strategy: