diff --git a/.github/workflows/approve-dependabot.yml b/.github/workflows/approve-dependabot.yml
index e8c0c402..5fe3e2df 100644
--- a/.github/workflows/approve-dependabot.yml
+++ b/.github/workflows/approve-dependabot.yml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   enable-auto-merge-github-actions:
     if: |-
diff --git a/.github/workflows/create-prs-for-stale-branches.yml b/.github/workflows/create-prs-for-stale-branches.yml
index c25df202..8a9f6f1b 100644
--- a/.github/workflows/create-prs-for-stale-branches.yml
+++ b/.github/workflows/create-prs-for-stale-branches.yml
@@ -13,13 +13,13 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref}}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   build-matrix:
     runs-on: [self-hosted, linux, build]
 
-    permissions:
-      contents: read
-
     steps:
       - name: "Initialise Workspace"
         if: startsWith(runner.name, 'buildagent-')
diff --git a/.github/workflows/update-labels.yml b/.github/workflows/update-labels.yml
index 00822666..103fdf54 100644
--- a/.github/workflows/update-labels.yml
+++ b/.github/workflows/update-labels.yml
@@ -12,11 +12,17 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   update-labels-config:
 
     runs-on: [self-hosted, linux, build]
 
+    permissions:
+      issues: write  # for crazy-max/ghaction-github-labeler to create, rename, update
+
     steps:
       - name: "Initialise Workspace"
         if: startsWith(runner.name, 'buildagent-')