diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 7dc838c..d44efdc 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -18,6 +18,10 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ master ]
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index c2c2882..83bb661 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - deploy-**
+permissions:
+  contents: read
+  deployments: write
 
 jobs:
   deploy:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9404060..f364e40 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,4 +1,9 @@
 name: "build-test"
+
+permissions:
+  contents: read
+  deployments: write
+
 on: # rebuild any PRs and main branch changes
   pull_request:
   push: