diff --git a/.github/workflows/build-test-artifacts.yml b/.github/workflows/build-test-artifacts.yml
index 14e045a201..25888793df 100644
--- a/.github/workflows/build-test-artifacts.yml
+++ b/.github/workflows/build-test-artifacts.yml
@@ -116,6 +116,8 @@ jobs:
     needs: [ BuildAndUploadPackages, BuildAndUploadITAR, BuildAndUploadCN, BuildDocker, BuildDistributor ]
     if: ${{ github.event_name == 'push' || inputs.test-image-before-upload }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - run: gh workflow run integration-test.yml --ref ${{ github.ref_name }} --repo $GITHUB_REPOSITORY -f build_run_id=${{ github.run_id }} -f build_sha=${{ github.sha }}
         env:
@@ -126,6 +128,8 @@ jobs:
     # Workflow only runs against main
     if: ${{ github.event_name == 'push' || inputs.test-image-before-upload }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - run: gh workflow run application-signals-e2e-test.yml --ref ${{ github.ref_name }} --repo $GITHUB_REPOSITORY -f build_run_id=${{ github.run_id }} -f build_sha=${{ github.sha }}
         env:
@@ -135,6 +139,8 @@ jobs:
     needs: [ BuildAndUploadPackages, BuildAndUploadITAR, BuildAndUploadCN, BuildDocker, BuildDistributor ]
     if: ${{ github.event_name == 'push' || inputs.test-image-before-upload }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - run: gh workflow run e2e-test.yml --ref ${{ github.ref_name }} --repo $GITHUB_REPOSITORY -f build_sha=${{ github.sha }}
         env:
@@ -144,7 +150,9 @@ jobs:
     needs: [ BuildAndUploadPackages, BuildAndUploadITAR, BuildAndUploadCN, BuildDocker, BuildDistributor ]
     if: ${{ github.event_name == 'push' || inputs.test-image-before-upload }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - run: gh workflow run wd-integration-test.yml --ref ${{ github.ref_name }} --repo $GITHUB_REPOSITORY -f build_run_id=${{ github.run_id }} -f build_sha=${{ github.sha }}
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/otel-fork-replace.yml b/.github/workflows/otel-fork-replace.yml
index 60499ef2f5..fb22fbd8a6 100644
--- a/.github/workflows/otel-fork-replace.yml
+++ b/.github/workflows/otel-fork-replace.yml
@@ -15,6 +15,9 @@ on:
 
 jobs:
   update-components:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Get latest commit sha
diff --git a/.github/workflows/release-candidate-test.yml b/.github/workflows/release-candidate-test.yml
index dfd0417c27..dbb38b4502 100644
--- a/.github/workflows/release-candidate-test.yml
+++ b/.github/workflows/release-candidate-test.yml
@@ -45,6 +45,8 @@ jobs:
 
   StartIntegrationTests:
     needs: [ RepackageArtifacts, OutputEnvVariables ]
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     steps:
       # Avoid the limit of 5 nested workflows by executing the workflow in this manner