diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
index c8db39e288..c980c98540 100644
--- a/.github/workflows/doc.yml
+++ b/.github/workflows/doc.yml
@@ -16,6 +16,9 @@ on:
       - 'doc/**'
       - 'mkdocs.yml'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 30077972c1..ad86f23dda 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -4,8 +4,15 @@ on:
   pull_request:
     branches: [master, main]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   super-linter:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      checks: write # to mark the status of each individual linter run
+
     name: Lint Code Base
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ae750d95e4..66e348306c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -18,6 +18,9 @@ on:
       - 'doc/**'
       - 'mkdocs.yml'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test:
     runs-on: ubuntu-18.04