diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index cae2e59595921966dae5af6fb670afdbf01f5cfb..21bc39202ccd0234bdbf485af493bbf295ee4f27 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [closed]
 
+permissions:
+  contents: write
+
 jobs:
   create-release:
     if: |
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
index 83f66359077b74c71961b31db7b977c40cff47fa..7f361d42d0a6184d7162324a3133e3c7608f51ca 100644
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -3,6 +3,10 @@ on:
   push:
     branches:
       - master
+
+permissions:
+  contents: write
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index 094a8821ce67d1966cb878af2f9f1828c8f6fa88..fca619cd268a0504451dca871e10679629034e01 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -5,6 +5,10 @@ on:
     # At 01:00 on the first day of every month
   workflow_dispatch:
 
+permissions:
+  pull-requests: write
+  contents: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/enforce-dependency-review.yml b/.github/workflows/enforce-dependency-review.yml
index f2605b7a7e2c71e25aac825eb5c55c28ae6e0b24..6bb0bd7593b50a23aadf1f862065fa6f3fd3043b 100644
--- a/.github/workflows/enforce-dependency-review.yml
+++ b/.github/workflows/enforce-dependency-review.yml
@@ -1,9 +1,6 @@
 name: 'Dependency Review'
 on: [pull_request]
 
-permissions:
-  contents: read
-
 jobs:
   dependency-review:
     runs-on: ubuntu-latest