diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 4232ceb6236..4d1e2a2a0f9 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -4,6 +4,10 @@ on:
   pull_request_target:
     types: [edited, opened, synchronize, reopened]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   labels:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos.yml
index fa1f8fc6911..c885f6f7665 100644
--- a/.github/workflows/manual-nixos.yml
+++ b/.github/workflows/manual-nixos.yml
@@ -1,5 +1,7 @@
 name: "Build NixOS manual"
 
+permissions: read-all
+
 on:
   pull_request_target:
     branches:
diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs.yml
index 192a4c6868a..6f7ad10efd9 100644
--- a/.github/workflows/manual-nixpkgs.yml
+++ b/.github/workflows/manual-nixpkgs.yml
@@ -1,5 +1,7 @@
 name: "Build Nixpkgs manual"
 
+permissions: read-all
+
 on:
   pull_request_target:
     branches: