diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index cd3e71c3b..d4f7d6a3d 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -10,6 +10,10 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   security_audit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/on-pr-review-approve.yml b/.github/workflows/on-pr-review-approve.yml
index 08c373551..4fab369b7 100644
--- a/.github/workflows/on-pr-review-approve.yml
+++ b/.github/workflows/on-pr-review-approve.yml
@@ -2,6 +2,10 @@ on:
   pull_request_review:
     types: [submitted]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   update-labels:
     if: github.event.review.state == 'approved'
diff --git a/.github/workflows/on-pr-review-submit.yml b/.github/workflows/on-pr-review-submit.yml
index e7b5010c6..4c6eca333 100644
--- a/.github/workflows/on-pr-review-submit.yml
+++ b/.github/workflows/on-pr-review-submit.yml
@@ -2,6 +2,10 @@ on:
   pull_request_review:
     types: [submitted]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   update-labels:
     if: github.event.review.state == 'changes_requested'
diff --git a/.github/workflows/tag-merged-pr.yml b/.github/workflows/tag-merged-pr.yml
index cef7e6a66..f7c1b7694 100644
--- a/.github/workflows/tag-merged-pr.yml
+++ b/.github/workflows/tag-merged-pr.yml
@@ -4,6 +4,10 @@ on:
       - master
     types: [closed]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   update-labels:
     if: ${{ github.event.pull_request.merged }}
diff --git a/.github/workflows/tag-new-pr.yml b/.github/workflows/tag-new-pr.yml
index bf15529e2..ea5af90e6 100644
--- a/.github/workflows/tag-new-pr.yml
+++ b/.github/workflows/tag-new-pr.yml
@@ -4,6 +4,10 @@ on:
       - master
     types: [opened, reopened, review_requested]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   update-labels:
     runs-on: ubuntu-latest