diff --git a/.github/workflows/close-bugs-bot.yml b/.github/workflows/close-bugs-bot.yml
index 6a5a2feb06a..0fb89be9990 100644
--- a/.github/workflows/close-bugs-bot.yml
+++ b/.github/workflows/close-bugs-bot.yml
@@ -3,6 +3,10 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *' # every day at midnight
+
+permissions:
+  issues: write # Required to label and close stale bug issues via actions/stale
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/close-features-bot.yml b/.github/workflows/close-features-bot.yml
index 6207aab555b..37183d40846 100644
--- a/.github/workflows/close-features-bot.yml
+++ b/.github/workflows/close-features-bot.yml
@@ -3,6 +3,10 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *' # every day at midnight
+
+permissions:
+  issues: write # Required to label and close feature request issues via actions/stale
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dotnet-upgrade.yml b/.github/workflows/dotnet-upgrade.yml
index 12dc8be0246..d5bdf1ec15d 100644
--- a/.github/workflows/dotnet-upgrade.yml
+++ b/.github/workflows/dotnet-upgrade.yml
@@ -5,6 +5,10 @@ on:
     - cron: '0 0 * * 1'
   workflow_dispatch:
 
+permissions:
+  contents: write # Required to push the SDK version upgrade branch
+  pull-requests: write # Required to create the upgrade pull request via gh cli
+
 jobs:
   dotnet-update:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/patch_update_main.yml b/.github/workflows/patch_update_main.yml
index f7d2b29f1d9..f2beb19b7c2 100644
--- a/.github/workflows/patch_update_main.yml
+++ b/.github/workflows/patch_update_main.yml
@@ -9,6 +9,10 @@ on:
       - 'patches/runner-main-sdk8-*.patch'
       - 'patches/last_processed_commit.txt'
 
+permissions:
+  contents: write # Required to push patch updates and branches
+  pull-requests: write # Required to create pull requests via peter-evans/create-pull-request
+
 jobs:
   update-patches:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/patch_update_release.yml b/.github/workflows/patch_update_release.yml
index a4b1ec899d9..31e42bde0e9 100644
--- a/.github/workflows/patch_update_release.yml
+++ b/.github/workflows/patch_update_release.yml
@@ -9,6 +9,10 @@ on:
       - "patches/runner-sdk8-*.patch"
       - "patches/last_processed_tag.txt"
 
+permissions:
+  contents: write # Required to push patch updates and release branches
+  pull-requests: write # Required to create pull requests via peter-evans/create-pull-request
+
 jobs:
   update-patches:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ae731316831..091dd67759e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,9 @@ on:
     paths:
     - releaseVersion
 
+permissions:
+  contents: write # Required to create GitHub releases and upload release assets
+
 jobs:
   check:
     if: startsWith(github.ref, 'refs/heads/releases/') || github.ref == 'refs/heads/main'
diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml
index d0d7e115a27..1c5d227c5df 100644
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -3,6 +3,10 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * 1' # every monday at midnight
+
+permissions:
+  issues: write # Required to label and close stale issues via actions/stale
+
 jobs:
   stale:
     runs-on: ubuntu-latest