diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c831dc3..ff4f0e9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/bump_oxlint.yml b/.github/workflows/bump_oxlint.yml
index 3970012..b5b8b68 100644
--- a/.github/workflows/bump_oxlint.yml
+++ b/.github/workflows/bump_oxlint.yml
@@ -10,9 +10,13 @@ on:
 env:
   OXLINT_PACKAGE_NAME: oxlint
 
+permissions: {}
+
 jobs:
   bump:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml
index ab54240..08ceae2 100644
--- a/.github/workflows/ci_security.yml
+++ b/.github/workflows/ci_security.yml
@@ -13,6 +13,8 @@ on:
     paths:
       - '.github/workflows/**'
 
+permissions: {}
+
 jobs:
   zizmor:
     name: zizmor
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index e4f40e2..c16ce9a 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   format:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/generate.yml b/.github/workflows/generate.yml
index d03024f..e1ecda1 100644
--- a/.github/workflows/generate.yml
+++ b/.github/workflows/generate.yml
@@ -17,6 +17,8 @@ on:
       - 'scripts/**'
       - '.github/workflows/generate.yml'
 
+permissions: {}
+
 jobs:
   generate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 6590c8a..8f75faf 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f0fc19d..8b7e54a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,8 @@ on:
   push:
     branches: [main]
 
+permissions: {}
+
 jobs:
   release:
     if: startsWith(github.event.head_commit.message, 'release')
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f5ec7e8..fa21c05 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/type-check.yml b/.github/workflows/type-check.yml
index 622d309..c3ea4e6 100644
--- a/.github/workflows/type-check.yml
+++ b/.github/workflows/type-check.yml
@@ -8,6 +8,8 @@ on:
       - main
       - 'renovate/**'
 
+permissions: {}
+
 jobs:
   type-check:
     runs-on: ubuntu-latest