diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 344ccd5fe..b4f8915c4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,9 @@ on:
   - push
   - pull_request
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   ci:
     name: ${{ matrix.command }}
diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml
index 0fd62aa73..cf1180004 100644
--- a/.github/workflows/comment.yml
+++ b/.github/workflows/comment.yml
@@ -6,8 +6,16 @@ on:
     types:
       - created
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+  pull-requests: read # to get info about PR (cirrus-actions/rebase)
+
 jobs:
   rebase:
+    permissions:
+      contents: write # to push code to rebase (cirrus-actions/rebase)
+      pull-requests: read # to get info about PR (cirrus-actions/rebase)
+
     name: rebase
     runs-on: ubuntu-latest
     if: |
@@ -25,6 +33,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   release_next:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      pull-requests: write # to create or update comment (peter-evans/create-or-update-comment)
+
     name: release:next
     runs-on: ubuntu-latest
     if: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 07c703b3c..d4860a7b1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,8 +5,13 @@ on:
     branches:
       - main
 
+permissions: {}
 jobs:
   release:
+    permissions:
+      contents: write # to create release (changesets/action)
+      pull-requests: write # to create pull request (changesets/action)
+
     name: ${{ matrix.channel }}
     runs-on: ubuntu-latest
     strategy: