diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 49b563348..5b2cc0e6d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,9 +6,16 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
 
   build:
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
+      checks: write  #  to create a new check based on the results (shogo82148/actions-goveralls)
+
     name: Build
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index cfc08b081..f21f176d5 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -5,8 +5,12 @@ on:
     tags:
       - "v*"
 
+permissions: {}
 jobs:
   release_docs:
+    permissions:
+      contents: write  #  for mike to push
+
     name: Release Docs
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/release-chart.yaml b/.github/workflows/release-chart.yaml
index e87909178..21c29e1df 100644
--- a/.github/workflows/release-chart.yaml
+++ b/.github/workflows/release-chart.yaml
@@ -7,8 +7,13 @@ on:
     paths:
       - "charts/external-dns/Chart.yaml"
 
+permissions: {}
 jobs:
   release:
+
+    permissions:
+      contents: write  #  to push chart release and create a release (helm/chart-releaser-action)
+
     if: github.repository == 'kubernetes-sigs/external-dns'
     runs-on: ubuntu-latest
     defaults:
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 0c8766e0b..08bb97159 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,6 +1,10 @@
 name: trivy vulnerability scanner
 on:
   push:
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
     name: Build