diff --git a/.github/workflows/label_issue.yml b/.github/workflows/label_issue.yml
index ead15724bb..d5b00d1d29 100644
--- a/.github/workflows/label_issue.yml
+++ b/.github/workflows/label_issue.yml
@@ -6,6 +6,10 @@ on:
       - opened
       - reopened
 
+    permissions:
+      contents: read # to fetch code
+      issues: write # to label issues
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/label_pr.yml b/.github/workflows/label_pr.yml
index 8e3f8b81a2..cd6036958f 100644
--- a/.github/workflows/label_pr.yml
+++ b/.github/workflows/label_pr.yml
@@ -7,6 +7,10 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read # to determine modified files (actions/labeler)
+  pull-requests: write # to add labels to PRs (actions/labeler)
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml
index 31c61824b1..bf6ef17852 100644
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -8,6 +8,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   promote:
     if: endsWith(github.repository, '/awx')