diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 9c9ce69de2c..fa0e8d72943 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -9,8 +9,15 @@ on:
   schedule:
     - cron: '0 2 * * *' # run at 2 AM UTC
 
+permissions:
+  contents: read
+
 jobs:
   security-audit:
+    permissions:
+      checks: write  # for actions-rs/audit-check to create check
+      contents: read  # for actions/checkout to fetch code
+      issues: write  # for actions-rs/audit-check to create issues
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, 'ci skip')"
     steps:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4ad3eee7d0b..193f94c9e01 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,6 +27,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   # Depends on all action sthat are required for a "successful" CI run.
   tests-pass:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 885a4f18b73..28824cff689 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -4,8 +4,14 @@ on:
 
 # See .github/labeler.yml file
 
+permissions:
+  contents: read
+
 jobs:
   triage:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     if: github.repository_owner == 'tokio-rs'
     steps:
diff --git a/.github/workflows/loom.yml b/.github/workflows/loom.yml
index 80c1b5ffc31..d9bc4d161e7 100644
--- a/.github/workflows/loom.yml
+++ b/.github/workflows/loom.yml
@@ -13,6 +13,9 @@ env:
   # Change to specific Rust release to pin
   rust_stable: stable
 
+permissions:
+  contents: read
+
 jobs:
   loom:
     name: loom
diff --git a/.github/workflows/pr-audit.yml b/.github/workflows/pr-audit.yml
index 8081a91bd50..408bc49edf1 100644
--- a/.github/workflows/pr-audit.yml
+++ b/.github/workflows/pr-audit.yml
@@ -8,6 +8,9 @@ on:
     paths:
       - '**/Cargo.toml'
 
+permissions:
+  contents: read
+
 jobs:
   security-audit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stress-test.yml b/.github/workflows/stress-test.yml
index ecce0c407dc..9b93fdb67a5 100644
--- a/.github/workflows/stress-test.yml
+++ b/.github/workflows/stress-test.yml
@@ -11,6 +11,9 @@ env:
   # Change to specific Rust release to pin
   rust_stable: stable
 
+permissions:
+  contents: read
+
 jobs:
   stress-test:
     name: Stress Test