diff --git a/.github/workflows/electron_woa_testing.yml b/.github/workflows/electron_woa_testing.yml
index a7667da1af..3af8d005f3 100644
--- a/.github/workflows/electron_woa_testing.yml
+++ b/.github/workflows/electron_woa_testing.yml
@@ -10,6 +10,9 @@ on:
         type: text
         required: true
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   electron-woa-init:
     if: ${{ github.event_name == 'push' && github.repository == 'electron/electron' }}
diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml
index 085fec0936..11d9945852 100644
--- a/.github/workflows/issue-labeled.yml
+++ b/.github/workflows/issue-labeled.yml
@@ -4,8 +4,14 @@ on:
   issues:
     types: [labeled]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   issue-labeled:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: blocked/need-repro
diff --git a/.github/workflows/release_dependency_versions.yml b/.github/workflows/release_dependency_versions.yml
index 425f4ce4ab..32806dcc68 100644
--- a/.github/workflows/release_dependency_versions.yml
+++ b/.github/workflows/release_dependency_versions.yml
@@ -7,6 +7,9 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   check_tag:
     runs-on: ubuntu-latest