diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index c3057c3a31..cef38bcc06 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -7,6 +7,10 @@ on:
 
 jobs:
   release-please:
+    permissions:
+      contents: write # to create release commit (google-github-actions/release-please-action)
+      pull-requests: write # to create release PR (google-github-actions/release-please-action)
+
     runs-on: ubuntu-latest
     steps:
       - uses: google-github-actions/release-please-action@v2
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 7070df4e25..1cca2a81d2 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -7,6 +7,10 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   Lint_Python:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/visual-studio.yml b/.github/workflows/visual-studio.yml
index 12125e5447..8abe36ecc2 100644
--- a/.github/workflows/visual-studio.yml
+++ b/.github/workflows/visual-studio.yml
@@ -6,6 +6,10 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   visual-studio:
     strategy: