diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml
index 56056c989462..a36254db4ef9 100644
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: '*/10 * * * *'
 
+permissions:
+  issues: write # to close stale issues (actions/stale)
+  pull-requests: write # to close stale PRs (actions/stale)
+
 jobs:
   stale:
     name: 'Close month old issues and PRs'
diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml
index 544610f04863..ec0e49344fc7 100644
--- a/.github/workflows/issues.yml
+++ b/.github/workflows/issues.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  issues: write # to close issues (peter-evans/close-issue)
+
 jobs:
   questions:
     name: Questions
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index 2c143dc3f000..216f0b83fcb0 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -4,8 +4,13 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions: {}
 jobs:
   lock:
+    permissions:
+      issues: write # to lock issues (dessant/lock-threads)
+      pull-requests: write # to lock PRs (dessant/lock-threads)
+
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/lock-threads@v3
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index e72e92e76d6f..24e7f7e2de3b 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   prepare-yarn-cache-ubuntu:
     uses: ./.github/workflows/prepare-cache.yml