diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 25bd4ef9f..46ea076d8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,6 +22,9 @@ env:
   DESTDIR: "./bin"
   DOCKER_CLI_VERSION: "20.10.17"
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   prepare:
     runs-on: ubuntu-latest
@@ -182,6 +185,9 @@ jobs:
           make e2e-compose-standalone
 
   release:
+    permissions:
+      contents: write # to create a release (ncipollo/release-action)
+
     runs-on: ubuntu-latest
     needs:
       - binary
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 9226f8c89..188c9361b 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -4,8 +4,13 @@ on:
   release:
     types: [published]
 
+permissions: {}
 jobs:
   open-pr:
+    permissions:
+      contents: write # to create branch (peter-evans/create-pull-request)
+      pull-requests: write # to create a PR (peter-evans/create-pull-request)
+
     runs-on: ubuntu-latest
     steps:
       -
diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml
index 94259e522..690cda7a8 100644
--- a/.github/workflows/merge.yml
+++ b/.github/workflows/merge.yml
@@ -12,6 +12,9 @@ on:
       - 'v*'
   workflow_dispatch:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   e2e:
     name: Build and test