diff --git a/.github/workflows/apidiff.yaml b/.github/workflows/apidiff.yaml
index a76a30c..bc5dc34 100644
--- a/.github/workflows/apidiff.yaml
+++ b/.github/workflows/apidiff.yaml
@@ -2,6 +2,9 @@ name: Run apidiff
 
 on: [ pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   apidiff:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/assign.yaml b/.github/workflows/assign.yaml
index e1bfb97..4a33f54 100644
--- a/.github/workflows/assign.yaml
+++ b/.github/workflows/assign.yaml
@@ -6,9 +6,15 @@ on:
   pull_request_target:
     types: [opened, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   assign:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/github-script@v6
         with:
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index c46cb8b..b5bb027 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -2,6 +2,9 @@ name: Run lint
 
 on: [ push, pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 2b7f2b5..567e76d 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -2,6 +2,9 @@ name: Run tests
 
 on: [ push, pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy: