diff --git a/.github/workflows/autorebase.yml b/.github/workflows/autorebase.yml
index ba60c0d0d..1a58c441d 100644
--- a/.github/workflows/autorebase.yml
+++ b/.github/workflows/autorebase.yml
@@ -9,6 +9,10 @@ on:
   pull_request:
     types: [labeled]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   auto-rebase:
     name: AutoRebase
diff --git a/.github/workflows/lint-commit.yml b/.github/workflows/lint-commit.yml
index 343dfd76a..b81cd506a 100644
--- a/.github/workflows/lint-commit.yml
+++ b/.github/workflows/lint-commit.yml
@@ -3,6 +3,9 @@ name: "Lint PR title and commit message"
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   main:
     name: Validate PR title
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 125f2c3f0..8efcd99eb 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -3,6 +3,10 @@ on:
     branches:
       - main
 name: Create release PR
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   release-please:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ui-test-reliability.yml b/.github/workflows/ui-test-reliability.yml
index 3cd369f1f..b4ac20850 100644
--- a/.github/workflows/ui-test-reliability.yml
+++ b/.github/workflows/ui-test-reliability.yml
@@ -10,6 +10,9 @@ on:
 env:
   PW_TEST_HTML_REPORT_OPEN: 'never'
 
+permissions:
+  contents: read
+
 jobs:
   test-reliability:
     if: ${{ github.event.label.name == 'test:reliability' }}
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 24d082f13..9d5222b07 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -7,6 +7,9 @@ on:
       - main
 env:
   PW_TEST_HTML_REPORT_OPEN: 'never'
+permissions:
+  contents: read
+
 jobs:
   repo:
     runs-on: ubuntu-latest