diff --git a/.github/workflows/prepare-for-a-release.yml b/.github/workflows/prepare-for-a-release.yml
index c1debd9..d18e025 100644
--- a/.github/workflows/prepare-for-a-release.yml
+++ b/.github/workflows/prepare-for-a-release.yml
@@ -6,6 +6,10 @@ on:
 
 concurrency: prepare-for-a-release
 
+permissions:
+  packages: read
+  contents: write
+
 jobs:
   # all tasks that need to be done before we add an X.Y.Z tag
   # should be done as a step in the pre-tagging job.
diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml
index c358cfb..0f9e100 100644
--- a/.github/workflows/release-notes.yml
+++ b/.github/workflows/release-notes.yml
@@ -10,6 +10,10 @@ on:
       - .release-notes/next-release.md
       - .release-notes/\d+.\d+.\d+.md
 
+permissions:
+  packages: read
+  contents: write
+
 jobs:
   release-notes:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 53a8022..9db08ce 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,10 @@ on:
 
 concurrency: release
 
+permissions:
+  packages: write
+  contents: write
+
 jobs:
   # validation to assure that we should in fact continue with the release should
   # be done here. the primary reason for this step is to verify that the release