diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml
index 93dccdd80..8b74b0afd 100644
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -1,4 +1,6 @@
 name: Backport
+permissions:
+  contents: read
 on:
   pull_request_target:
     types:
diff --git a/.github/workflows/docker-main.yaml b/.github/workflows/docker-main.yaml
index bb7026308..74c5808a2 100644
--- a/.github/workflows/docker-main.yaml
+++ b/.github/workflows/docker-main.yaml
@@ -1,4 +1,6 @@
 name: Docker Main
+permissions:
+  contents: read
 on:
   push:
     branches:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 75bfeab2e..14d1d3f49 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,4 +1,6 @@
 name: Release
+permissions:
+  contents: read
 
 on:
   release:
@@ -7,6 +9,10 @@ on:
 
 jobs:
   goreleaser:
+    permissions:
+      contents: write
+      issues: read
+      pull-requests: read
     runs-on: ubuntu-latest
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index fc12f13a7..18b2722f5 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -1,10 +1,12 @@
+name: Test
+permissions:
+  contents: read
 on:
   push:
     branches:
       - main
   pull_request:
 
-name: Test
 jobs:
   test:
     strategy: