diff --git a/.github/workflows/auto_assign.yml b/.github/workflows/auto_assign.yml
index 093e194..898c286 100644
--- a/.github/workflows/auto_assign.yml
+++ b/.github/workflows/auto_assign.yml
@@ -3,6 +3,10 @@ on:
   pull_request:
     types: [opened, ready_for_review]
 
+
+permissions:
+  pull-requests: write
+
 jobs:
   add-reviews:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0ab08c5..7b97c93 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [ develop, main ]
 
+
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: ./
diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index e6ce47d..f14e732 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -6,6 +6,11 @@ on:
     types:
       - completed
 
+
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   get_pr_details:
     # Guardrails to only ever run if PR recording workflow was indeed
diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml
index 2bce046..c51d840 100644
--- a/.github/workflows/on_merged_pr.yml
+++ b/.github/workflows/on_merged_pr.yml
@@ -6,6 +6,11 @@ on:
     types:
       - completed
 
+
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   get_pr_details:
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
index 9712a3f..b93984a 100644
--- a/.github/workflows/on_opened_pr.yml
+++ b/.github/workflows/on_opened_pr.yml
@@ -6,6 +6,11 @@ on:
     types:
       - completed
 
+
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   get_pr_details:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml
index 7ef50e4..5e446e9 100644
--- a/.github/workflows/record_pr.yml
+++ b/.github/workflows/record_pr.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, edited, closed]
 
+
+permissions:
+  contents: read
+
 jobs:
   record_pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml
index dfe1326..c1a3b77 100644
--- a/.github/workflows/reusable_export_pr_details.yml
+++ b/.github/workflows/reusable_export_pr_details.yml
@@ -36,6 +36,10 @@ on:
         description: "Whether PR is merged"
         value: ${{ jobs.export_pr_details.outputs.prIsMerged }}
 
+
+permissions:
+  contents: read
+
 jobs:
   export_pr_details: