diff --git a/.github/workflows/label-manager.yml b/.github/workflows/label-manager.yml
index a87d543f1f..11218e3d3f 100644
--- a/.github/workflows/label-manager.yml
+++ b/.github/workflows/label-manager.yml
@@ -1,7 +1,12 @@
 on: issues
 name: Create Default Labels
+permissions: {}
 jobs:
   labels:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      issues: write # to add label to issues 
+
     name: DefaultLabelsActions
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/pr-release.yml b/.github/workflows/pr-release.yml
index eac3862c81..37c8688aeb 100644
--- a/.github/workflows/pr-release.yml
+++ b/.github/workflows/pr-release.yml
@@ -8,8 +8,13 @@ on:
 env:
   HUSKY: 0 # Bypass husky commit hook for CI
 
+permissions: {}
 jobs:
   pr-release:
+    permissions:
+      contents: write # to create release (changesets/action)
+      pull-requests: write # to create pull request (changesets/action)
+
     timeout-minutes: 15
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 66ac130085..3a2fad1abc 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -14,6 +14,9 @@ on:
         description: Force rebuild docker images for CI tests
         required: false
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test-linux:
     runs-on: ubuntu-20.04