diff --git a/.github/workflows/auto_labeler_issues.yml b/.github/workflows/auto_labeler_issues.yml
index 0d8f7c1f8..e0e8bbe71 100644
--- a/.github/workflows/auto_labeler_issues.yml
+++ b/.github/workflows/auto_labeler_issues.yml
@@ -3,6 +3,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  issues: write
+
 jobs:
   build:
 
diff --git a/.github/workflows/auto_labeler_pr.yml b/.github/workflows/auto_labeler_pr.yml
index 7d93fb35f..31ec56bba 100644
--- a/.github/workflows/auto_labeler_pr.yml
+++ b/.github/workflows/auto_labeler_pr.yml
@@ -2,6 +2,9 @@ name: Auto Labeler - PRs
 on:
   pull_request_target:
 
+permissions:
+  pull-requests: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
index 186009f76..734f8d07e 100644
--- a/.github/workflows/prepare_release.yml
+++ b/.github/workflows/prepare_release.yml
@@ -7,6 +7,10 @@ on:
         required: false
         default: 'auto'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   crowdin_download_translations:
     needs: pr_stable_bump
diff --git a/.github/workflows/publish_release.yml b/.github/workflows/publish_release.yml
index fd1a7c226..2285479d3 100644
--- a/.github/workflows/publish_release.yml
+++ b/.github/workflows/publish_release.yml
@@ -29,6 +29,9 @@ jobs:
           twine upload dist/*
 
   pr_dev_bump:
+    permissions:
+      contents: write
+      pull-requests: write
     needs: release_to_pypi
     runs-on: ubuntu-latest
     steps: