diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 5f2bef1..84d7856 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -3,6 +3,10 @@ name: Node.js Package
 on:
   release:
     types: [released]
+
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index ce833c5..710b851 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -3,6 +3,11 @@ name: Run build/tests/lint on pull requests
 on:
   pull_request:
 
+
+permissions:
+  contents: read
+  security-events: write
+
 # By default the karma test runners use the karma 'Chrome' runner
 # This is great when running locally because the browser pops up and you get to see what it does
 # This doesn't work in Actions, however, so we set this env var to force the Headless runner
diff --git a/.github/workflows/push-mainline-to-github-pages.yml b/.github/workflows/push-mainline-to-github-pages.yml
index 426a571..5c715de 100644
--- a/.github/workflows/push-mainline-to-github-pages.yml
+++ b/.github/workflows/push-mainline-to-github-pages.yml
@@ -8,6 +8,10 @@ on:
   push:
     branches: [mainline2.0]
 
+
+permissions:
+  contents: write
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   push_to_gh-pages_branch: