diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b298dbf..6f5ac00 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   puppet:
     name: Puppet
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 73be88d..eacd0b3 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -8,6 +8,10 @@ name: "Pull Request Labeler"
 on:
   pull_request_target: {}
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   labeler:
     permissions:
diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
index 01efa1a..2e3cc68 100644
--- a/.github/workflows/prepare_release.yml
+++ b/.github/workflows/prepare_release.yml
@@ -11,6 +11,10 @@ on:
         description: 'Module version to be released. Must be a valid semver string without leading v. (1.2.3)'
         required: false
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release_prep:
     uses: 'voxpupuli/gha-puppet/.github/workflows/prepare_release.yml@v3'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3db60fb..0a8b1b1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,9 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: write
+
 jobs:
   release:
     name: Release