diff --git a/.github/workflows/stale-actions.yml b/.github/workflows/stale-actions.yml
index 17823f0800..d663566ff5 100644
--- a/.github/workflows/stale-actions.yml
+++ b/.github/workflows/stale-actions.yml
@@ -3,9 +3,14 @@ on:
   schedule:
   - cron: "00 10 * * *"
 
+permissions: read-all
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
     - uses: actions/stale@v8
       with:
diff --git a/.github/workflows/test-ruby-head.yml b/.github/workflows/test-ruby-head.yml
index 911d2e6b45..ee0ebd44a4 100644
--- a/.github/workflows/test-ruby-head.yml
+++ b/.github/workflows/test-ruby-head.yml
@@ -5,6 +5,8 @@ on:
     - cron: '11 14 * * 0'
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   test:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b86bb30e26..7ad8d3d7ad 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   test:
     runs-on: ${{ matrix.os }}