diff --git a/.github/workflows/build-report.yml b/.github/workflows/build-report.yml
index 9af62a6bf..3fdb21d13 100644
--- a/.github/workflows/build-report.yml
+++ b/.github/workflows/build-report.yml
@@ -5,6 +5,8 @@ on:
   schedule:
     - cron: "0 21 * * *"  # 9pm UTC = 1pm PST / 2pm PDT, 12 hours after testapps run
 
+permissions: write-all
+
 env:
   GITHUB_TOKEN: ${{ github.token }}
   numDays: 7
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index c1ee5375f..9b5261583 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, synchronize, labeled, unlabeled]
 
+permissions: write-all
+
 env:
   triggerLabelFull: "tests-requested: full"
   triggerLabelQuick: "tests-requested: quick"
diff --git a/.github/workflows/checks_secure.yml b/.github/workflows/checks_secure.yml
index c919b374b..9bd167d0b 100644
--- a/.github/workflows/checks_secure.yml
+++ b/.github/workflows/checks_secure.yml
@@ -5,6 +5,8 @@ on:
   pull_request_target:
     types: [synchronize]
 
+permissions: write-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/update-feature-branches.yml b/.github/workflows/update-feature-branches.yml
index b39ad3e27..20590ab7d 100644
--- a/.github/workflows/update-feature-branches.yml
+++ b/.github/workflows/update-feature-branches.yml
@@ -13,6 +13,8 @@ on:
   schedule:
     - cron: "0 16 * * 1"  # Mondays, 4pm UTC = 9am PST / 10am PDT
 
+permissions: write-all
+
 env:
   defaultBranchPattern: "feature_branch/*"
   defaultMainBranch: "main"