diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 26789093f2..a76e5150dc 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -9,6 +9,8 @@ on:
 jobs:
   backport:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # required for pushing changes
     steps:
       - run: |
           if [[ ! $GITHUB_REF_NAME =~ ^release/v[0-9]+\.[0-9]+\.x-0\.[0-9]+bx$ ]]; then
diff --git a/.github/workflows/package-prepare-patch-release.yml b/.github/workflows/package-prepare-patch-release.yml
index f216eada8a..46a35fd035 100644
--- a/.github/workflows/package-prepare-patch-release.yml
+++ b/.github/workflows/package-prepare-patch-release.yml
@@ -18,6 +18,8 @@ run-name: "[Package][${{ inputs.package }}] Prepare patch release"
 jobs:
   prepare-patch-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # required for pushing changes
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/package-prepare-release.yml b/.github/workflows/package-prepare-release.yml
index d596c4c74a..c597cca5cf 100644
--- a/.github/workflows/package-prepare-release.yml
+++ b/.github/workflows/package-prepare-release.yml
@@ -92,6 +92,8 @@ jobs:
   create-pull-request-against-release-branch:
     runs-on: ubuntu-latest
     needs: prereqs
+    permissions:
+      contents: write # required for pushing changes
     steps:
       - uses: actions/checkout@v4
 
@@ -147,6 +149,8 @@ jobs:
   create-pull-request-against-main:
     runs-on: ubuntu-latest
     needs: prereqs
+    permissions:
+      contents: write # required for pushing changes
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml
index f5f7bcb347..8f498807c4 100644
--- a/.github/workflows/package-release.yml
+++ b/.github/workflows/package-release.yml
@@ -17,6 +17,8 @@ run-name: "[Package][${{ inputs.package }}] Release"
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # required for pushing changes
     steps:
       - run: |
           if [[ $GITHUB_REF_NAME != package-release/${{ inputs.package }}* ]]; then
diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml
index ccaffafea8..80d4f22640 100644
--- a/.github/workflows/prepare-patch-release.yml
+++ b/.github/workflows/prepare-patch-release.yml
@@ -5,6 +5,8 @@ on:
 jobs:
   prepare-patch-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # required for pushing changes
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml
index 1d9ff92c05..034ef93d70 100644
--- a/.github/workflows/prepare-release-branch.yml
+++ b/.github/workflows/prepare-release-branch.yml
@@ -38,6 +38,8 @@ jobs:
   create-pull-request-against-release-branch:
     runs-on: ubuntu-latest
     needs: prereqs
+    permissions:
+      contents: write # required for pushing changes
     steps:
       - uses: actions/checkout@v4
 
@@ -120,6 +122,8 @@ jobs:
   create-pull-request-against-main:
     runs-on: ubuntu-latest
     needs: prereqs
+    permissions:
+      contents: write # required for pushing changes
     steps:
       - uses: actions/checkout@v4