diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3d845d00bf..6c06718c12 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,8 @@
 # licenses/APL2.txt.
 
 name: ci
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/openapi-pr.yml b/.github/workflows/openapi-pr.yml
index 7be8ac4a1c..487e67dff6 100644
--- a/.github/workflows/openapi-pr.yml
+++ b/.github/workflows/openapi-pr.yml
@@ -7,12 +7,18 @@
 # licenses/APL2.txt.
 
 name: openapi-pr
+permissions:
+  contents: read
+  pull-requests: write
 
 on:
   pull_request:
     # Only run when we change an API spec
     paths:
       - 'docs/api/**'
+      - '.redocly.yaml'
+      - '.yamllint.yml'
+      - '.github/workflows/openapi-pr.yml'
     branches:
       - 'master'
       - 'main'
diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml
index 8ca19474fe..56f65b8956 100644
--- a/.github/workflows/openapi.yml
+++ b/.github/workflows/openapi.yml
@@ -7,12 +7,17 @@
 # licenses/APL2.txt.
 
 name: openapi
+permissions:
+  contents: read
 
 on:
   push:
     # Only run when we change an API spec
     paths:
       - 'docs/api/**'
+      - '.redocly.yaml'
+      - '.yamllint.yml'
+      - '.github/workflows/openapi.yml'
     branches:
       - 'master'
       - 'main'
diff --git a/.github/workflows/service.yml b/.github/workflows/service.yml
index 1c0267b5b9..c3bb91ce44 100644
--- a/.github/workflows/service.yml
+++ b/.github/workflows/service.yml
@@ -7,6 +7,8 @@
 # licenses/APL2.txt.
 
 name: service
+permissions:
+  contents: read
 
 on:
   push:
@@ -14,6 +16,7 @@ on:
     paths:
       - 'service/**'
       - 'integration-test/**'
+      - '.github/workflows/service.yml'
     branches:
       - 'main'
       - 'release/*'