diff --git a/.github/workflows/announce-a-release.yml b/.github/workflows/announce-a-release.yml
index e9f9293..e7bb0fa 100644
--- a/.github/workflows/announce-a-release.yml
+++ b/.github/workflows/announce-a-release.yml
@@ -7,6 +7,10 @@ on:
 
 concurrency: announce-a-release
 
+permissions:
+  packages: read
+  contents: write
+
 jobs:
   announce:
     name: Announcements
diff --git a/.github/workflows/breakage-against-linux-ponyc-latest.yml b/.github/workflows/breakage-against-linux-ponyc-latest.yml
index 81775be..e759432 100644
--- a/.github/workflows/breakage-against-linux-ponyc-latest.yml
+++ b/.github/workflows/breakage-against-linux-ponyc-latest.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [shared-docker-linux-builders-updated]
 
+permissions:
+  packages: read
+
 jobs:
   vs-ponyc-main-linux:
     name: Verify main against ponyc main on Linux
diff --git a/.github/workflows/breakage-against-macos-arm64-ponyc-latest.yml b/.github/workflows/breakage-against-macos-arm64-ponyc-latest.yml
index 6c29810..e5bb389 100644
--- a/.github/workflows/breakage-against-macos-arm64-ponyc-latest.yml
+++ b/.github/workflows/breakage-against-macos-arm64-ponyc-latest.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [ponyc-arm64-macos-nightly-released]
 
+permissions:
+  packages: read
+
 jobs:
   vs-ponyc-main-macos:
     name: Verify main against ponyc main on arm64 macOS
diff --git a/.github/workflows/breakage-against-macos-x86-ponyc-latest.yml b/.github/workflows/breakage-against-macos-x86-ponyc-latest.yml
index b6772c4..69b5e3d 100644
--- a/.github/workflows/breakage-against-macos-x86-ponyc-latest.yml
+++ b/.github/workflows/breakage-against-macos-x86-ponyc-latest.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [ponyc-x86_64-macos-nightly-released]
 
+permissions:
+  packages: read
+
 jobs:
   vs-ponyc-main-macos:
     name: Verify main against ponyc main on x86-64 macOS
diff --git a/.github/workflows/latest-docker-image.yml b/.github/workflows/latest-docker-image.yml
index 07f5836..d2222b7 100644
--- a/.github/workflows/latest-docker-image.yml
+++ b/.github/workflows/latest-docker-image.yml
@@ -9,6 +9,9 @@ concurrency:
   group: build-latest-docker-images
   cancel-in-progress: true
 
+permissions:
+  packages: write
+
 jobs:
   build-latest-docker-image:
     name: Build and push latest Docker image
diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml
index 36f6e4b..969a42a 100644
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  packages: read
+
 jobs:
   x86-64-unknown-linux-nightly:
     name: Build and upload x86-64-unknown-linux-nightly to Cloudsmith
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 2f9e8ff..6a7368f 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -6,6 +6,9 @@ concurrency:
   group: pr-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  packages: read
+
 jobs:
   superlinter:
     name: Lint bash, docker, markdown, and yaml
diff --git a/.github/workflows/prepare-for-a-release.yml b/.github/workflows/prepare-for-a-release.yml
index ad3e51d..34c6630 100644
--- a/.github/workflows/prepare-for-a-release.yml
+++ b/.github/workflows/prepare-for-a-release.yml
@@ -7,6 +7,10 @@ on:
 
 concurrency: prepare-for-a-release
 
+permissions:
+  packages: read
+  contents: write
+
 jobs:
   # all tasks that need to be done before we add an X.Y.Z tag
   # should be done as a step in the pre-tagging job.
diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml
index 120fbf7..0f9e100 100644
--- a/.github/workflows/release-notes.yml
+++ b/.github/workflows/release-notes.yml
@@ -12,7 +12,6 @@ on:
 
 permissions:
   packages: read
-  pull-requests: read
   contents: write
 
 jobs:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7d84246..4f1ff7a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,10 @@ on:
 
 concurrency: release
 
+permissions:
+  packages: write
+  contents: write
+
 jobs:
   # validation to assure that we should in fact continue with the release should
   # be done here. the primary reason for this step is to verify that the release