diff --git a/.github/workflows/macos_build.yml b/.github/workflows/macos_build.yml
index 7af8f16e..0722cc26 100644
--- a/.github/workflows/macos_build.yml
+++ b/.github/workflows/macos_build.yml
@@ -1,5 +1,9 @@
 name: macos_build
 on: [pull_request, push]
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   macos_build:
     strategy:
diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml
index 9f62c14e..275b7563 100644
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@@ -9,8 +9,12 @@ on:
     # Schedule for ten minutes after the hour, every hour
     - cron: '10 * * * *'
 
+permissions: {}
 jobs:
   noResponse:
+    permissions:
+      issues: write  #  to update issues (lee-dohm/no-response)
+
     runs-on: ubuntu-latest
     steps:
       - uses: lee-dohm/no-response@v0.5.0
diff --git a/.github/workflows/pyenv_tests.yml b/.github/workflows/pyenv_tests.yml
index 2d3ba3c6..5937d86d 100644
--- a/.github/workflows/pyenv_tests.yml
+++ b/.github/workflows/pyenv_tests.yml
@@ -1,5 +1,9 @@
 name: pyenv_tests
 on: [pull_request, push]
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   pyenv_tests:
     strategy:
diff --git a/.github/workflows/ubuntu_build.yml b/.github/workflows/ubuntu_build.yml
index 59e7978c..205d0584 100644
--- a/.github/workflows/ubuntu_build.yml
+++ b/.github/workflows/ubuntu_build.yml
@@ -1,5 +1,9 @@
 name: ubuntu_build
 on: [pull_request, push]
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   ubuntu_build:
     strategy: