diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 52689d6..659f080 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -1,5 +1,9 @@
 name: PR Autolabeler
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   # pull_request event is required for autolabeler
   pull_request:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e470c14..3163c6c 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,5 +1,8 @@
 name: main
 
+permissions:
+  contents: write
+
 on:
   push:
     branches:
diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml
index 39dd16e..9c148f6 100644
--- a/.github/workflows/publish-image.yml
+++ b/.github/workflows/publish-image.yml
@@ -1,5 +1,8 @@
 name: publish image
 
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index d25c13e..182ecec 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -6,6 +6,10 @@ on:
       - "main"
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   draft-release:
     uses: commit-check/.github/.github/workflows/release-drafter.yml@main