diff --git a/.github/workflows/build-daily.yml b/.github/workflows/build-daily.yml
index adca71fb..0374e0e8 100644
--- a/.github/workflows/build-daily.yml
+++ b/.github/workflows/build-daily.yml
@@ -7,8 +7,12 @@ on:
   # allow manual runs
   workflow_dispatch:
 
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  checks: write # test.yml
+  contents: read # debos.yml test.yml
+  packages: read # test.yml
+  pull-requests: write # test.yml
 
 jobs:
   build-daily:
diff --git a/.github/workflows/build-on-pr.yml b/.github/workflows/build-on-pr.yml
index 3e05dfb9..830f14b8 100644
--- a/.github/workflows/build-on-pr.yml
+++ b/.github/workflows/build-on-pr.yml
@@ -3,11 +3,12 @@ name: Build on PR
 on:
   pull_request:
 
+# implicitely set all other permissions to none
 permissions:
-  checks: write  # required by test reporting action
-  pull-requests: write  # required by test reporting action
-  contents: read  # github default
-  packages: read  # github default
+  checks: write # test.yml
+  contents: read # debos.yml lava-schema-check.yml test.yml
+  packages: read # test.yml
+  pull-requests: write # test.yml
 
 jobs:
   event-file:
diff --git a/.github/workflows/build-on-push.yml b/.github/workflows/build-on-push.yml
index 5e6b395b..8cbedc2e 100644
--- a/.github/workflows/build-on-push.yml
+++ b/.github/workflows/build-on-push.yml
@@ -4,11 +4,12 @@ on:
   push:
     branches: [main]
 
+# implicitely set all other permissions to none
 permissions:
-  checks: write
-  pull-requests: write
-  contents: read
-  packages: read
+  checks: write # test.yml
+  contents: read # debos.yml lava-schema-check.yml test.yml
+  packages: read # test.yml
+  pull-requests: write # test.yml
 
 jobs:
   build-daily:
diff --git a/.github/workflows/debos.yml b/.github/workflows/debos.yml
index a651d723..442689e5 100644
--- a/.github/workflows/debos.yml
+++ b/.github/workflows/debos.yml
@@ -7,10 +7,9 @@ on:
         description: "URL to retrieve build artifacts"
         value: ${{ jobs.build-debos.outputs.url }}
 
-# only need permission to read repository; implicitely set all other
-# permissions to none
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  contents: read # actions/checkout
 
 # cancel in progress builds for this workflow triggered by the same ref
 concurrency:
diff --git a/.github/workflows/lava-schema-check.yml b/.github/workflows/lava-schema-check.yml
index b731a422..17c20410 100644
--- a/.github/workflows/lava-schema-check.yml
+++ b/.github/workflows/lava-schema-check.yml
@@ -1,8 +1,12 @@
-name: Chech LAVA templates
+name: Check LAVA templates
 
 on:
   workflow_call:
 
+# implicitely set all other permissions to none
+permissions:
+  contents: read # actions/checkout
+
 jobs:
   schema-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index aaeb98d0..39b54ccc 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -7,10 +7,9 @@ on:
   # allow manual runs
   workflow_dispatch:
 
-# only need permission to read repository; implicitely set all other
-# permissions to none
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  contents: read # actions/checkout
 
 env:
   # where results will be posted/hosted
diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml
index ea9e47c3..9ef69d28 100644
--- a/.github/workflows/static-checks.yml
+++ b/.github/workflows/static-checks.yml
@@ -8,10 +8,9 @@ on:
   push:
     branches: [main]
 
-# only need permission to read repository; implicitely set all other
-# permissions to none
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  contents: read # actions/checkout
 
 # cancel in progress builds for this workflow triggered by the same ref
 concurrency:
diff --git a/.github/workflows/test-pr.yml b/.github/workflows/test-pr.yml
index 029eca12..1eb9a32d 100644
--- a/.github/workflows/test-pr.yml
+++ b/.github/workflows/test-pr.yml
@@ -8,11 +8,14 @@ on:
     types:
       - completed
 
+# implicitely set all other permissions to none
 permissions:
-  checks: write  # required by test reporting action
-  pull-requests: write  # required by test reporting action
-  contents: read  # github default
-  packages: read  # github default
+  checks: write # test.yml EnricoMi/publish-unit-test-result-action
+  contents: read # test.yml actions/checkout
+  packages: read # test.yml actions/download-artifact
+  # test.yml EnricoMi/publish-unit-test-result-action
+  # thollander/actions-comment-pull-request
+  pull-requests: write
 
 jobs:
   retrieve-build-url:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 341bf19d..8969db09 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,6 +7,13 @@ on:
         required: true
         type: string
 
+# implicitely set all other permissions to none
+permissions:
+  checks: write # EnricoMi/publish-unit-test-result-action
+  contents: read # actions/checkout
+  packages: read # actions/download-artifact
+  pull-requests: write # EnricoMi/publish-unit-test-result-action
+
 jobs:
   prepare-job-list:
     runs-on: ubuntu-latest
@@ -74,9 +81,6 @@ jobs:
     name: "Publish Tests Results"
     needs: submit-job
     runs-on: ubuntu-latest
-    permissions:
-      checks: write
-      pull-requests: write
 
     steps:
       - name: Download Artifacts
diff --git a/.github/workflows/u-boot.yml b/.github/workflows/u-boot.yml
index 647922c5..449af40c 100644
--- a/.github/workflows/u-boot.yml
+++ b/.github/workflows/u-boot.yml
@@ -7,10 +7,9 @@ on:
   # allow manual runs
   workflow_dispatch:
 
-# only need permission to read repository; implicitely set all other
-# permissions to none
+# implicitely set all other permissions to none
 permissions:
-  contents: read
+  contents: read # actions/checkout
 
 env:
   # where results will be posted/hosted