diff --git a/.github/workflows/announce-a-release.yml b/.github/workflows/announce-a-release.yml
index 42e3963..47d08d6 100644
--- a/.github/workflows/announce-a-release.yml
+++ b/.github/workflows/announce-a-release.yml
@@ -6,6 +6,10 @@ on:
 
 concurrency: announce-a-release
 
+permissions:
+  packages: read
+  contents: write
+
 jobs:
   announce:
     name: Announcements
diff --git a/.github/workflows/breakage-against-linux-ponyc-latest.yml b/.github/workflows/breakage-against-linux-ponyc-latest.yml
index 6f94bdb..6106541 100644
--- a/.github/workflows/breakage-against-linux-ponyc-latest.yml
+++ b/.github/workflows/breakage-against-linux-ponyc-latest.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [shared-docker-linux-builders-updated]
 
+permissions:
+  packages: read
+
 jobs:
   linux:
     name: Verify main against the latest ponyc on Linux
diff --git a/.github/workflows/breakage-against-macos-arm64-ponyc-latest.yml b/.github/workflows/breakage-against-macos-arm64-ponyc-latest.yml
index f6f3acd..eab0e23 100644
--- a/.github/workflows/breakage-against-macos-arm64-ponyc-latest.yml
+++ b/.github/workflows/breakage-against-macos-arm64-ponyc-latest.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [ponyc-arm64-macos-nightly-released]
 
+permissions:
+  packages: read
+
 jobs:
   macos:
     name: Verify main against the latest ponyc on macOS
diff --git a/.github/workflows/breakage-against-macos-x86-ponyc-latest.yml b/.github/workflows/breakage-against-macos-x86-ponyc-latest.yml
index 7a0035b..9c6d7d5 100644
--- a/.github/workflows/breakage-against-macos-x86-ponyc-latest.yml
+++ b/.github/workflows/breakage-against-macos-x86-ponyc-latest.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [ponyc-x86_64-macos-nightly-released]
 
+permissions:
+  packages: read
+
 jobs:
   macos:
     name: Verify main against the latest ponyc on macOS
diff --git a/.github/workflows/breakage-against-windows-ponyc-latest.yml b/.github/workflows/breakage-against-windows-ponyc-latest.yml
index a8cbcf6..a701815 100644
--- a/.github/workflows/breakage-against-windows-ponyc-latest.yml
+++ b/.github/workflows/breakage-against-windows-ponyc-latest.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [ponyc-windows-nightly-released]
 
+permissions:
+  packages: read
+
 jobs:
   windows:
     name: Verify main against the latest ponyc on Windows
diff --git a/.github/workflows/generate-documentation.yml b/.github/workflows/generate-documentation.yml
index 3a67616..cdf0960 100644
--- a/.github/workflows/generate-documentation.yml
+++ b/.github/workflows/generate-documentation.yml
@@ -3,6 +3,12 @@ name: Manually generate documentation
 on:
   workflow_dispatch
 
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+  packages: read
+
 jobs:
   generate-documentation:
     name: Generate documentation for release
diff --git a/.github/workflows/latest-docker-image.yml b/.github/workflows/latest-docker-image.yml
index a161fd1..cf4a929 100644
--- a/.github/workflows/latest-docker-image.yml
+++ b/.github/workflows/latest-docker-image.yml
@@ -9,6 +9,9 @@ concurrency:
   group: build-latest-docker-images
   cancel-in-progress: true
 
+permissions:
+  packages: write
+
 jobs:
   build-latest-docker-image:
     name: Build and push latest Docker image
diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml
index c208a34..41b8394 100644
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  packages: read
+
 jobs:
   x86-64-unknown-linux-nightly:
     name: Build and upload x86-64-unknown-linux-nightly to Cloudsmith
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index a5bda29..2be2b50 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -6,6 +6,9 @@ concurrency:
   group: pr-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  packages: read
+
 jobs:
   superlinter:
     name: Lint bash, docker, markdown, and yaml