diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 30c503b9a0..62a1bb1857 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -6,6 +6,9 @@ on:
       - closed
       - labeled
 
+permissions:
+  pull-requests: write
+
 jobs:
   backport:
     name: Backport
diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml
index 51e7b0bb0f..af75235f19 100644
--- a/.github/workflows/brakeman-analysis.yml
+++ b/.github/workflows/brakeman-analysis.yml
@@ -7,6 +7,10 @@ concurrency:
   group: brakeman-${{ github.ref_name }}
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
+permissions:
+  contents: read
+  security-events: write
+
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index c2340c0dba..8d71c49c6c 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -15,6 +15,8 @@ on:
 
 jobs:
   check_bun_lock:
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     name: Check bun.lockdb
     steps:
@@ -30,6 +32,8 @@ jobs:
       bun_lock_changed: ${{ steps.changed-bun-lock.outputs.any_changed }}
 
   build_javascript:
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     name: Build JS packages
     needs: check_bun_lock
@@ -55,6 +59,8 @@ jobs:
           path: vendor/javascript
 
   RSpec:
+    permissions:
+      contents: read
     needs: [check_bun_lock, build_javascript]
     if: ${{ success('check_bun_lock') && !failure('build_javascript') }}
     runs-on: ubuntu-22.04
@@ -164,6 +170,8 @@ jobs:
             spec/dummy/tmp/screenshots
 
   PushJavascript:
+    permissions:
+      contents: write
     runs-on: ubuntu-22.04
     needs: [check_bun_lock, RSpec]
     if: github.event_name == 'pull_request'
@@ -196,6 +204,8 @@ jobs:
           branch: ${{ github.head_ref }}
 
   Jest:
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     env:
       NODE_ENV: test
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 160ac82114..c553af0b21 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ concurrency:
   group: lint-${{ github.ref_name }}
   cancel-in-progress: ${{ github.ref_name != 'main' }}
 
+permissions:
+  contents: read
+
 jobs:
   Standard:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 1821afb177..d1129b581b 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,10 +4,13 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   stale:
     runs-on: ubuntu-22.04
-
     steps:
       - uses: actions/stale@v5
         with: