diff --git a/.github/workflows/action-ci.yml b/.github/workflows/action-ci.yml
index 7f75cd5..b1edd1c 100644
--- a/.github/workflows/action-ci.yml
+++ b/.github/workflows/action-ci.yml
@@ -3,6 +3,8 @@ name: Action CI
 on:
   workflow_call:
 
+permissions: {}
+
 jobs:
 
   ci:
@@ -72,6 +74,8 @@ jobs:
     outputs:
       do_release: ${{ steps.gauge-release.outputs.do_release }}
       next_tag: ${{ steps.gauge-release.outputs.next_tag }}
+    permissions:
+      contents: read
     steps:
       - name: Gauge release
         id: gauge-release
@@ -84,6 +88,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: gaugerelease
     if: ${{ needs.gaugerelease.outputs.do_release == '1' }}
+    permissions:
+      contents: write
     steps:
       - name: Patch release
         uses: silverstripe/gha-tag-release@v1
@@ -104,6 +110,8 @@ jobs:
     env:
       GITHUB_REPOSITORY: ${{ github.repository }}
       BRANCH: ${{ needs.ci.outputs.branch }}
+    permissions:
+      actions: write
     steps:
       - name: Dispatch auto tag
         run: |
diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 32801df..8d7002f 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -4,10 +4,15 @@ on:
     tags:
       - '*.*.*'
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   auto-tag:
     name: Auto-tag
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Auto-tag
         uses: silverstripe/gha-auto-tag@v1
diff --git a/.github/workflows/keepalive.yml b/.github/workflows/keepalive.yml
index ad71951..5ec3dc4 100644
--- a/.github/workflows/keepalive.yml
+++ b/.github/workflows/keepalive.yml
@@ -6,12 +6,16 @@ on:
     - cron: '30 6 3 * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   keepalive:
     name: Keepalive
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Keepalive
         uses: silverstripe/gha-keepalive@v1
diff --git a/.github/workflows/merge-up.yml b/.github/workflows/merge-up.yml
index 67e94c5..cc1d268 100644
--- a/.github/workflows/merge-up.yml
+++ b/.github/workflows/merge-up.yml
@@ -6,12 +6,17 @@ on:
     - cron: '30 6 * * 2'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   merge-up:
     name: Merge-up
     # Only run cron on the silverstripe account
     if: (github.event_name == 'schedule' && github.repository_owner == 'silverstripe') || (github.event_name != 'schedule')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - name: Merge-up
         uses: silverstripe/gha-merge-up@v1