diff --git a/.github/workflows/auto-pr.yml b/.github/workflows/auto-pr.yml
index 6bfad646..ed0f7d28 100644
--- a/.github/workflows/auto-pr.yml
+++ b/.github/workflows/auto-pr.yml
@@ -3,6 +3,11 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  contents: write
+  pull-requests: write
+  issues: read
+
 jobs:
   auto-pr:
     if: startsWith(github.event.label.name, 'auto-pr')
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 979c67e8..e6279037 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["main"]
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
diff --git a/.github/workflows/docs-preview-cleanup.yml b/.github/workflows/docs-preview-cleanup.yml
index 34502d02..5d80161f 100644
--- a/.github/workflows/docs-preview-cleanup.yml
+++ b/.github/workflows/docs-preview-cleanup.yml
@@ -6,6 +6,8 @@ on:
     types:
       - closed
 
+permissions: {}
+
 jobs:
   cleanup:
     uses: elastic/docs-actions/.github/workflows/docs-preview-cleanup.yml@67a2f08b5b237e0f333d23c357b2f6cb6860ecf9 # v1
diff --git a/.github/workflows/regenerate-notice.yml b/.github/workflows/regenerate-notice.yml
index 85ee4be2..c51b3231 100644
--- a/.github/workflows/regenerate-notice.yml
+++ b/.github/workflows/regenerate-notice.yml
@@ -8,6 +8,8 @@ on:
       - package.json
       - package-lock.json
 
+permissions: {}
+
 jobs:
   regenerate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/resolve-conflicts.yml b/.github/workflows/resolve-conflicts.yml
index c7ceea03..4a3fe594 100644
--- a/.github/workflows/resolve-conflicts.yml
+++ b/.github/workflows/resolve-conflicts.yml
@@ -3,6 +3,11 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: write
+  pull-requests: write
+  issues: read
+
 jobs:
   resolve:
     uses: elastic/clients-team-automations/.github/workflows/ai-backport-resolver.yml@main