diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3b8d73d17..ee40af996 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: CI
 
 on: ['push', 'pull_request']
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   ci:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index 2b0f227b9..02ad369b2 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -4,8 +4,12 @@ on:
   push:
     branches: ['main']
 
+permissions: {}
 jobs:
   mirror:
+    permissions:
+      contents: write # to update branch 
+
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 8acda7bbd..109afbaa0 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,8 +4,13 @@ on:
   schedule:
   - cron: '0 0 * * *'
 
+permissions: {}
 jobs:
   stale:
+    permissions:
+      issues: write # to close stale issues (actions/stale)
+      pull-requests: write # to close stale PRs (actions/stale)
+
     runs-on: ubuntu-latest
 
     steps: