diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c94c40256c..e96aba35f7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [ bleed ]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   linux:
     name: Linux (.NET 6.0)
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 8794f87405..3a65a6626b 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -8,6 +8,9 @@ on:
         required: true
         default: 'release-xxxxxxxx'
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   wiki:
     name: Update Wiki
diff --git a/.github/workflows/itch.yml b/.github/workflows/itch.yml
index e785284528..96a87f3106 100644
--- a/.github/workflows/itch.yml
+++ b/.github/workflows/itch.yml
@@ -8,6 +8,7 @@ on:
         required: true
         default: 'release-xxxxxxxx'
 
+permissions: {}
 jobs:
   itch:
     name: Deploy to itch.io
diff --git a/.github/workflows/packaging.yml b/.github/workflows/packaging.yml
index 53d11b7878..7d7236f079 100644
--- a/.github/workflows/packaging.yml
+++ b/.github/workflows/packaging.yml
@@ -7,6 +7,9 @@ on:
     - 'playtest-*'
     - 'devtest-*'
 
+permissions:
+  contents: write  #  for release creation (svenstaro/upload-release-action)
+
 jobs:
   source:
     name: Source Tarball