diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml
index 60661a47..a078ba57 100644
--- a/.github/workflows/change-file-in-pr.yml
+++ b/.github/workflows/change-file-in-pr.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, labeled]
 
+permissions:
+  contents: read
+
 jobs:
   check-files-in-directory:
     if: ${{ !contains(github.event.pull_request.labels.*.name, 'Release Not Needed') && !contains(github.event.pull_request.labels.*.name, 'Release PR') }}
diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml
index 114d4bf4..85745df8 100644
--- a/.github/workflows/closed-issue-message.yml
+++ b/.github/workflows/closed-issue-message.yml
@@ -2,6 +2,9 @@ name: Closed Issue Message
 on:
     issues:
        types: [closed]
+permissions:
+  issues: write
+
 jobs:
     auto_comment:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
index b886b910..467b31fd 100644
--- a/.github/workflows/semgrep-analysis.yml
+++ b/.github/workflows/semgrep-analysis.yml
@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: '23 20 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     name: Scan
diff --git a/.github/workflows/stale_issues.yml b/.github/workflows/stale_issues.yml
index b6462a55..e9ae5267 100644
--- a/.github/workflows/stale_issues.yml
+++ b/.github/workflows/stale_issues.yml
@@ -5,6 +5,10 @@ on:
   schedule:
   - cron: "0 0/3 * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   cleanup:
     name: Stale issue job