diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 720f1210e..034253caf 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -10,6 +10,11 @@ on:
   schedule:
     - cron: "0 0 * * 0"
 
+permissions:
+  actions: read  # for github/codeql-action/init to get workflow details
+  contents: read  # for actions/checkout to fetch code
+  security-events: write  # for github/codeql-action/analyze to upload SARIF results
+
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 0d7e68d95..4fbf3d3b9 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -1,5 +1,9 @@
 name: Tests
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/issueauto.yml b/.github/workflows/issueauto.yml
index a366d6ed8..40c4b36e7 100644
--- a/.github/workflows/issueauto.yml
+++ b/.github/workflows/issueauto.yml
@@ -2,16 +2,21 @@ name: Issue Automation
 on:
   issues:
     types: [opened]
+
+permissions:
+  contents: none
+  issues: write
+
 jobs:
   issue-auto:
     runs-on: ubuntu-latest
     steps:
       - name: label incoming issue
         env:
-         GH_REPO: ${{ github.repository }}
-         GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
-         ISSUENUM: ${{ github.event.issue.number }}
-         ISSUEAUTHOR: ${{ github.event.issue.user.login }}
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
+          ISSUENUM: ${{ github.event.issue.number }}
+          ISSUEAUTHOR: ${{ github.event.issue.user.login }}
         run: |
           if ! gh api orgs/cli/public_members/$ISSUEAUTHOR --silent 2>/dev/null
           then
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index ea7d4ea34..e811ef6ef 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -11,6 +11,9 @@ on:
       - go.mod
       - go.sum
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/prauto.yml b/.github/workflows/prauto.yml
index 047fb52ea..2596fa76c 100644
--- a/.github/workflows/prauto.yml
+++ b/.github/workflows/prauto.yml
@@ -2,6 +2,12 @@ name: PR Automation
 on:
   pull_request_target:
     types: [ready_for_review, opened, reopened]
+
+permissions:
+  contents: none
+  issues: write
+  pull-requests: write
+
 jobs:
   pr-auto:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
index 3e7f6cf2f..5e570350a 100644
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: write  # publishing releases
+  repository-projects: write  # move cards between columns
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest