diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index 894426a..494db1f 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -13,6 +13,10 @@ on:
           - 'minor'
           - 'patch'
 
+permissions:
+  contents: 'read'
+  pull-requests: 'write'
+
 jobs:
   draft-release:
     uses: 'google-github-actions/.github/.github/workflows/draft-release.yml@v3' # ratchet:exclude
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0457b00..736378f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,10 @@ on:
       - 'main'
       - 'release/**/*'
 
+permissions:
+  contents: 'read'
+  packages: 'write'
+
 jobs:
   release:
     uses: 'google-github-actions/.github/.github/workflows/release.yml@v3' # ratchet:exclude
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1be6bc6..b7686e4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -33,6 +33,10 @@ defaults:
   run:
     shell: 'bash'
 
+permissions:
+  contents: 'read'
+  statuses: 'write'
+
 jobs:
   unit:
     name: 'unit'