diff --git a/.github/workflows/issue-comment-created.yml b/.github/workflows/issue-comment-created.yml
index b8c4d6bfacc1..a1468e52d52a 100644
--- a/.github/workflows/issue-comment-created.yml
+++ b/.github/workflows/issue-comment-created.yml
@@ -4,6 +4,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   issue_comment_triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index ed67648c7887..fe9363350ec1 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -4,8 +4,14 @@ on:
   schedule:
     - cron: '50 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   lock:
+    permissions:
+      issues: write  # for dessant/lock-threads to lock issues
+      pull-requests: write  # for dessant/lock-threads to lock PRs
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/lock-threads@v2
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 08b438da4cf5..0284b24121cb 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ on:
     types:
       - closed
     
+permissions:
+  contents: read
+
 jobs:
   backport:
     if: github.event.pull_request.merged