diff --git a/.github/workflows/close-needs-feedback.yml b/.github/workflows/close-needs-feedback.yml
index 7197598f38c49..27231303f16e5 100644
--- a/.github/workflows/close-needs-feedback.yml
+++ b/.github/workflows/close-needs-feedback.yml
@@ -4,10 +4,16 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: github.repository_owner == 'php'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Close old issues that need feedback
         uses: dwieeb/needs-reply@v2
diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml
index b6727dc2401d5..685bdced92ec3 100644
--- a/.github/workflows/close-stale-feature-requests.yml
+++ b/.github/workflows/close-stale-feature-requests.yml
@@ -4,10 +4,16 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     if: github.repository_owner == 'php'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v4
         with:
diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml
index e5fbacff5d152..ca4317be1e0f9 100644
--- a/.github/workflows/close-stale-prs.yml
+++ b/.github/workflows/close-stale-prs.yml
@@ -4,10 +4,16 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     if: github.repository_owner == 'php'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v4
         with:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 7bed10529f647..13f0dc0864749 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -3,6 +3,8 @@ on:
   schedule:
    - cron: "0 1 * * *"
   workflow_dispatch: ~
+permissions:
+  contents: read
 jobs:
   GENERATE_MATRIX:
     name: Generate Matrix
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 38dad5e8f8fda..abe9a104429d1 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -17,6 +17,8 @@ on:
   pull_request:
     branches:
       - '**'
+permissions:
+  contents: read
 jobs:
   LINUX_X64:
     strategy:
diff --git a/.github/workflows/remove-needs-feedback.yml b/.github/workflows/remove-needs-feedback.yml
index fded33b442081..8d1ff3e0a0712 100644
--- a/.github/workflows/remove-needs-feedback.yml
+++ b/.github/workflows/remove-needs-feedback.yml
@@ -5,10 +5,16 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: "github.repository_owner == 'php' && contains(github.event.issue.labels.*.name, 'Status: Needs Feedback') && github.event.issue.user.login == github.event.sender.login"
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions-ecosystem/action-remove-labels@v1
         with: