diff --git a/.github/workflows/add_milestone.yml b/.github/workflows/add_milestone.yml
index 6e52ed08bc2643..cc647378a54604 100644
--- a/.github/workflows/add_milestone.yml
+++ b/.github/workflows/add_milestone.yml
@@ -15,6 +15,8 @@ jobs:
     name: Add Milestone on PR
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GH_REPO: ${{ github.repository }}
diff --git a/.github/workflows/backport-pr.yml b/.github/workflows/backport-pr.yml
index 7f4f5f296dfad6..3e32c1544e2a9d 100644
--- a/.github/workflows/backport-pr.yml
+++ b/.github/workflows/backport-pr.yml
@@ -20,6 +20,8 @@ jobs:
           && contains(github.event.label.name, 'backport')
         )
       )
+    permissions:
+      contents: write
     steps:
       - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
         id: app-token
diff --git a/.github/workflows/create_rc_pr.yml b/.github/workflows/create_rc_pr.yml
index 985e7c3992ae2f..06da9153cba6c0 100644
--- a/.github/workflows/create_rc_pr.yml
+++ b/.github/workflows/create_rc_pr.yml
@@ -47,6 +47,9 @@ jobs:
     create_rc_pr:
       runs-on: ubuntu-latest
       needs: find_release_branches
+      permissions:
+        contents: write # push commit and branch
+        pull-requests: write
       strategy:
         matrix:
           value: ${{fromJSON(needs.find_release_branches.outputs.branches)}}
diff --git a/.github/workflows/cws-btfhub-sync.yml b/.github/workflows/cws-btfhub-sync.yml
index 8b08a9d018efda..a49e47f7b6b87b 100644
--- a/.github/workflows/cws-btfhub-sync.yml
+++ b/.github/workflows/cws-btfhub-sync.yml
@@ -93,6 +93,8 @@ jobs:
   combine:
     needs: generate
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout datadog-agent repository
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
diff --git a/.github/workflows/label-analysis.yml b/.github/workflows/label-analysis.yml
index baf7e0f3b67106..1f0601757941fb 100644
--- a/.github/workflows/label-analysis.yml
+++ b/.github/workflows/label-analysis.yml
@@ -19,6 +19,8 @@ jobs:
   assign-team-label:
     if: github.triggering_actor != 'dd-devflow[bot]'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4