diff --git a/.github/workflows/check-binaries.yml b/.github/workflows/check-binaries.yml
index 75fa28f..fd12637 100644
--- a/.github/workflows/check-binaries.yml
+++ b/.github/workflows/check-binaries.yml
@@ -5,6 +5,9 @@ on:
   schedule:
    - cron: "0 16 * * 1-5"  # min h d Mo DoW / 9am PST M-F
 
+permissions:
+  issues: write
+
 jobs:
   check-for-vulnerabilities:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/integ-tests.yml b/.github/workflows/integ-tests.yml
index 92be22e..46c487c 100644
--- a/.github/workflows/integ-tests.yml
+++ b/.github/workflows/integ-tests.yml
@@ -6,6 +6,9 @@ on:
       - develop
       - main
 
+permissions:
+  contents: read
+
 jobs:
   go-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 32e878d..bb3c514 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,9 @@ on:
         description: "Information about the release"
         required: true
         default: "New release"
+permissions:
+  contents: write
+
 jobs:
   Release:
     environment: Release