diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e158fcdc..07fa209c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,8 +6,14 @@ name: Release
       - next
       - beta
       - "*.x"
+permissions:
+  contents: read #  for checkout
 jobs:
   release:
+    permissions:
+      contents: write #  to be able to publish a GitHub release
+      issues: write #  to be able to comment on released issues
+      pull-requests: write #  to be able to comment on released pull requests
     name: release
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6ecae2c0..1c2ff420 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,6 +12,9 @@ on:
       - opened
       - synchronize
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test_matrix:
     strategy: