diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0279816d0..a03c967ac 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,6 +8,9 @@ on:
       - main
 env: 
   NODE_OPTIONS: "--max-old-space-size=28000"
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 39342c01e..68efa41b1 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -11,6 +11,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint-prettier.yml b/.github/workflows/lint-prettier.yml
index 09f27c072..915c9c40b 100644
--- a/.github/workflows/lint-prettier.yml
+++ b/.github/workflows/lint-prettier.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   typecheck:
     name: Typecheck
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 98f0c4f37..662a6518c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
 
 name: Merge Release Branch
 
+permissions:
+  contents: write
+
 jobs:
   publish:
     name: Publish
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c8f1f9b83..39c00d060 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,10 @@ on:
   push:
     branches:
       - "release/v*"
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   release:
     name: Create Release