diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 549e23add..2cc29b229 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,9 @@ on:
     tags: [ 'v*' ]
   workflow_dispatch:
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   release-crates-io:
     name: Release crates.io
@@ -267,6 +270,8 @@ jobs:
           echo "::set-output name=env_url::https://pypi.org/project/maturin/$VERSION"
 
   release-github:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: Publish to GitHub releases
     runs-on: ubuntu-latest
     if: "startsWith(github.ref, 'refs/tags/')"
diff --git a/.github/workflows/update-auditwheel.yml b/.github/workflows/update-auditwheel.yml
index 5d312a97a..30c3b04a7 100644
--- a/.github/workflows/update-auditwheel.yml
+++ b/.github/workflows/update-auditwheel.yml
@@ -6,8 +6,14 @@ on:
     # Run every week
     - cron: '0 0 * * 0'
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   update:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update auditwheel policies
     runs-on: ubuntu-latest
     steps: