diff --git a/.github/workflows/e2e-cleanups.yml b/.github/workflows/e2e-cleanups.yml
index e41d00e8dd2..ccc5bb10e65 100644
--- a/.github/workflows/e2e-cleanups.yml
+++ b/.github/workflows/e2e-cleanups.yml
@@ -5,6 +5,9 @@ on:
     # run every 6 hours on every weekday
     - cron: '0 */6 * * 1-5'
 
+permissions:
+  contents: read
+
 jobs:
   integration-tests:
     name: Cleanup e2e instances
diff --git a/.github/workflows/nightly-checks.yml b/.github/workflows/nightly-checks.yml
index 9cc8f140649..cd8f74fb018 100644
--- a/.github/workflows/nightly-checks.yml
+++ b/.github/workflows/nightly-checks.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 7 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   integration-tests:
     name: Integration Tests
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bf2bad29a01..2ee1e11c539 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -297,6 +297,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: refs/pull/${{ github.event.issue.number }}/head
+          persist-credentials: false
           fetch-depth: 1
           fetch-tags: false
           filter: 'blob:none'
@@ -445,6 +446,9 @@ jobs:
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
     continue-on-error: true
 
+    permissions:
+      contents: read
+
     strategy:
       matrix:
         version: [22] # NOTE: 18 is cached in the main release workflow