diff --git a/.github/workflows/branch-pr-release.yaml b/.github/workflows/branch-pr-release.yaml
index 23695b71..3022336d 100644
--- a/.github/workflows/branch-pr-release.yaml
+++ b/.github/workflows/branch-pr-release.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches:
       - main
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index bc39ef19..54cd04db 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/template-schema-updater.yaml b/.github/workflows/template-schema-updater.yaml
index f50181ba..dab2d1b3 100644
--- a/.github/workflows/template-schema-updater.yaml
+++ b/.github/workflows/template-schema-updater.yaml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: '0 */8 * * *'
   workflow_dispatch: # Enables on-demand/manual triggering: https://docs.github.com/en/free-pro-team@latest/actions/managing-workflow-runs/manually-running-a-workflow
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   schema-updater:
     runs-on: ubuntu-latest