diff --git a/.github/workflows/announce-a-release.yml b/.github/workflows/announce-a-release.yml
index e9f9293..e7bb0fa 100644
--- a/.github/workflows/announce-a-release.yml
+++ b/.github/workflows/announce-a-release.yml
@@ -7,6 +7,10 @@ on:
 
 concurrency: announce-a-release
 
+permissions:
+  packages: read
+  contents: write
+
 jobs:
   announce:
     name: Announcements
diff --git a/.github/workflows/breakage-against-linux-ponyc-latest.yml b/.github/workflows/breakage-against-linux-ponyc-latest.yml
index a0101d8..998de04 100644
--- a/.github/workflows/breakage-against-linux-ponyc-latest.yml
+++ b/.github/workflows/breakage-against-linux-ponyc-latest.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [shared-docker-linux-builders-updated]
 
+permissions:
+  packages: read
+
 jobs:
   libressl-3-vs-ponyc-latest:
     name: LibreSSL 3.x with most recent ponyc latest
diff --git a/.github/workflows/breakage-against-windows-ponyc-latest.yml b/.github/workflows/breakage-against-windows-ponyc-latest.yml
index ca01a49..8a859fb 100644
--- a/.github/workflows/breakage-against-windows-ponyc-latest.yml
+++ b/.github/workflows/breakage-against-windows-ponyc-latest.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [ponyc-windows-nightly-released]
 
+permissions:
+  packages: read
+
 jobs:
   windows-vs-ponyc-latest:
     name: Test against recent ponyc release on Windows
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 09ad0cc..4695afe 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -6,6 +6,9 @@ concurrency:
   group: pr-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  packages: read
+
 jobs:
   superlinter:
     name: Lint bash, docker, markdown, and yaml
diff --git a/.github/workflows/prepare-for-a-release.yml b/.github/workflows/prepare-for-a-release.yml
index 93ce4a1..564b19f 100644
--- a/.github/workflows/prepare-for-a-release.yml
+++ b/.github/workflows/prepare-for-a-release.yml
@@ -7,6 +7,10 @@ on:
 
 concurrency: prepare-for-a-release
 
+permissions:
+  packages: read
+  contents: write
+
 jobs:
   # all tasks that need to be done before we add an X.Y.Z tag
   # should be done as a step in the pre-tagging job.