diff --git a/.github/workflows/node-pretest.yml b/.github/workflows/node-pretest.yml
index 48c68f5955..7706a11e93 100644
--- a/.github/workflows/node-pretest.yml
+++ b/.github/workflows/node-pretest.yml
@@ -2,6 +2,9 @@ name: 'Tests: pretest/posttest'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   pretest:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml
index 6fc77ea08d..fe45fe2cc0 100644
--- a/.github/workflows/node.yml
+++ b/.github/workflows/node.yml
@@ -2,6 +2,9 @@ name: 'Tests: node.js'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
index 027aed0797..323387ccab 100644
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -2,8 +2,14 @@ name: Automatic Rebase
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
+    permissions:
+      contents: write  # for ljharb/rebase to push code to rebase
+      pull-requests: read  # for ljharb/rebase to get info about PR
     name: "Automatic Rebase"
 
     runs-on: ubuntu-latest
diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml
index 549d7b4823..eb3631b9e3 100644
--- a/.github/workflows/require-allow-edits.yml
+++ b/.github/workflows/require-allow-edits.yml
@@ -2,8 +2,13 @@ name: Require “Allow Edits”
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
+    permissions:
+      pull-requests: read  # for ljharb/require-allow-edits to check 'allow edits' on PR
     name: "Require “Allow Edits”"
 
     runs-on: ubuntu-latest