diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9f44f8bcdc..03c9185c5d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches:
       - master
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index a4c3452453..ad2421a611 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -4,8 +4,14 @@ on:
   schedule:
     - cron: '0 0 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   lock:
+    permissions:
+      issues: write  # for dessant/lock-threads to lock issues
+      pull-requests: write  # for dessant/lock-threads to lock PRs
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/lock-threads@v2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8f864af155..7de759ad79 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,9 @@ on:
   push:
     tags:
     - '*.*.*'
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy: