diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml
index 792d5c2f0..798c2eb0d 100644
--- a/.github/workflows/changesets.yml
+++ b/.github/workflows/changesets.yml
@@ -12,6 +12,9 @@ env:
   CI: true
   PNPM_CACHE_FOLDER: .pnpm-store
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   # Update package versions from changesets.
   version:
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 03f89f99f..de0ba5153 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -15,6 +15,10 @@ on:
       - 'master'
     tags:
       - 'v*'
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   docker:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/static-data.yml b/.github/workflows/static-data.yml
index 13ac4e8ee..a6019028d 100644
--- a/.github/workflows/static-data.yml
+++ b/.github/workflows/static-data.yml
@@ -10,6 +10,10 @@ on:
   # push:
   #   branches:
   #     - master
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   prepare:
     name: Run script
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
index 9ebf31d34..929176419 100644
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@@ -9,8 +9,16 @@ on:
   schedule:
     - cron: '0 0 * * *' 
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
+      deployments: write
+      pull-requests: write  #  to comment on pull-requests
+
     runs-on: ubuntu-latest
     env:
       NODE_OPTIONS: --max_old_space_size=4096