diff --git a/.github/workflows/lint-and-test.yml b/.github/workflows/lint-and-test.yml
index 88fcf2df..f5f0297b 100644
--- a/.github/workflows/lint-and-test.yml
+++ b/.github/workflows/lint-and-test.yml
@@ -1,6 +1,10 @@
 ## Reference: https://github.com/helm/chart-testing-action
 name: Linting and Testing
 on: pull_request
+
+permissions:
+  contents: read
+
 jobs:
   chart-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
index 83dec55e..f42d814f 100644
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@@ -8,8 +8,14 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 729c2621..6090494f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,8 +5,13 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   publish:
+    permissions:
+      contents: write  # for helm/chart-releaser-action to push chart release and create a release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 0e8a171e..a9b2dbe2 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -3,8 +3,15 @@ name: Mark stale issues and pull requests
 on:
   schedule:
   - cron: "30 1 * * *"
+
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
     - uses: actions/stale@v5