diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 24e8f6ddf70..bfddf96db21 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 37661e9efee..f97ac0960d5 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-docsgen:
     name: Check (docs-check)
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 4a13d60d94d..32595e87f20 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     name: Docker (${{ matrix.image }} / ${{ matrix.network }}) [publish=${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }}]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dfdb164cae1..28789e78d61 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,6 +17,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  # This enables the workflow to create GitHub releases
+  contents: write
+
 jobs:
   build:
     name: Build (${{ matrix.os }}/${{ matrix.arch }})