diff --git a/.github/workflows/community-id-requester.yaml b/.github/workflows/community-id-requester.yaml
index 5e3bc6f..8f68f77 100644
--- a/.github/workflows/community-id-requester.yaml
+++ b/.github/workflows/community-id-requester.yaml
@@ -23,6 +23,11 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
 
   community-id-requester:
diff --git a/.github/workflows/disallowed-content-checks.yaml b/.github/workflows/disallowed-content-checks.yaml
index 3292d4b..e5001ff 100644
--- a/.github/workflows/disallowed-content-checks.yaml
+++ b/.github/workflows/disallowed-content-checks.yaml
@@ -22,6 +22,10 @@ on:
   pull_request_target:
     branches: [main]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/markdown-checks.yaml b/.github/workflows/markdown-checks.yaml
index ac6249d..6bf69a7 100644
--- a/.github/workflows/markdown-checks.yaml
+++ b/.github/workflows/markdown-checks.yaml
@@ -19,6 +19,9 @@ on:
     branches: [main]
     paths: 'docs/**'
 
+permissions:
+  contents: read
+
 jobs:
   main:
     if: contains(github.repositoryUrl, 'github.com')
diff --git a/.github/workflows/merged-pr-labeler.yaml b/.github/workflows/merged-pr-labeler.yaml
index 4b08df2..8cb397c 100644
--- a/.github/workflows/merged-pr-labeler.yaml
+++ b/.github/workflows/merged-pr-labeler.yaml
@@ -18,6 +18,10 @@ on:
   pull_request_target:
     types: [closed]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
 
   assign-label-on-merge: