diff --git a/.github/workflows/copycat-db-release.yml b/.github/workflows/copycat-db-release.yml
index 5ec942879d..ab8bac861c 100644
--- a/.github/workflows/copycat-db-release.yml
+++ b/.github/workflows/copycat-db-release.yml
@@ -3,6 +3,9 @@ name: "Release (copycat-db)"
 on:
     workflow_dispatch: # Run manually
 
+permissions:
+    contents: read
+
 jobs:
     build:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/server-publish-ghcr.yml b/.github/workflows/server-publish-ghcr.yml
index 5167f8cc4c..1d2e059208 100644
--- a/.github/workflows/server-publish-ghcr.yml
+++ b/.github/workflows/server-publish-ghcr.yml
@@ -7,6 +7,10 @@ on:
     # Run manually if needed to publish out of schedule.
     workflow_dispatch:
 
+permissions:
+    contents: read
+    packages: write
+
 jobs:
     publish:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/server-release.yml b/.github/workflows/server-release.yml
index fa02155300..6db84b1bfc 100644
--- a/.github/workflows/server-release.yml
+++ b/.github/workflows/server-release.yml
@@ -3,6 +3,9 @@ name: "Release (server)"
 on:
     workflow_dispatch: # Run manually
 
+permissions:
+    contents: read
+
 jobs:
     build:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/web-publish-ghcr.yml b/.github/workflows/web-publish-ghcr.yml
index 76c0c3de26..b69a75977f 100644
--- a/.github/workflows/web-publish-ghcr.yml
+++ b/.github/workflows/web-publish-ghcr.yml
@@ -7,6 +7,10 @@ on:
     # Run manually if needed to publish out of schedule.
     workflow_dispatch:
 
+permissions:
+    contents: read
+    packages: write
+
 jobs:
     publish:
         runs-on: ubuntu-latest