diff --git a/.github/workflows/clang-tests.yml b/.github/workflows/clang-tests.yml
--- a/.github/workflows/clang-tests.yml
+++ b/.github/workflows/clang-tests.yml
@@ -1,5 +1,8 @@
 name: Clang Tests
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/closed-issues.yml b/.github/workflows/closed-issues.yml
--- a/.github/workflows/closed-issues.yml
+++ b/.github/workflows/closed-issues.yml
@@ -3,8 +3,14 @@
   issues:
     types: ['closed']
 
+permissions:
+  contents: read
+
 jobs:
   automate-issues-labels:
+    permissions:
+      issues: write  # for andymckay/labeler to label issues
+      pull-requests: write  # for andymckay/labeler to label PRs
     runs-on: ubuntu-latest
     if: github.repository == 'llvm/llvm-project'
     steps:
diff --git a/.github/workflows/issue-release-workflow.yml b/.github/workflows/issue-release-workflow.yml
--- a/.github/workflows/issue-release-workflow.yml
+++ b/.github/workflows/issue-release-workflow.yml
@@ -14,6 +14,9 @@
 
 name: Issue Release Workflow
 
+permissions:
+  contents: read
+
 on:
   issue_comment:
     types:
diff --git a/.github/workflows/issue-subscriber.yml b/.github/workflows/issue-subscriber.yml
--- a/.github/workflows/issue-subscriber.yml
+++ b/.github/workflows/issue-subscriber.yml
@@ -5,6 +5,9 @@
     types:
       - labeled
 
+permissions:
+  contents: read
+
 jobs:
   auto-subscribe:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/libclang-abi-tests.yml b/.github/workflows/libclang-abi-tests.yml
--- a/.github/workflows/libclang-abi-tests.yml
+++ b/.github/workflows/libclang-abi-tests.yml
@@ -1,5 +1,8 @@
 name: libclang ABI Tests
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/libclc-tests.yml b/.github/workflows/libclc-tests.yml
--- a/.github/workflows/libclc-tests.yml
+++ b/.github/workflows/libclc-tests.yml
@@ -1,5 +1,8 @@
 name: libclc Tests
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/lld-tests.yml b/.github/workflows/lld-tests.yml
--- a/.github/workflows/lld-tests.yml
+++ b/.github/workflows/lld-tests.yml
@@ -1,5 +1,8 @@
 name: LLD Tests
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/lldb-tests.yml b/.github/workflows/lldb-tests.yml
--- a/.github/workflows/lldb-tests.yml
+++ b/.github/workflows/lldb-tests.yml
@@ -1,5 +1,8 @@
 name: lldb Tests
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/llvm-bugs.yml b/.github/workflows/llvm-bugs.yml
--- a/.github/workflows/llvm-bugs.yml
+++ b/.github/workflows/llvm-bugs.yml
@@ -1,5 +1,9 @@
 name: LLVM Bugs notifier
 
+permissions:
+  contents: read
+  issues: read
+
 on:
   issues:
     types:
diff --git a/.github/workflows/llvm-project-tests.yml b/.github/workflows/llvm-project-tests.yml
--- a/.github/workflows/llvm-project-tests.yml
+++ b/.github/workflows/llvm-project-tests.yml
@@ -1,5 +1,8 @@
 name: LLVM Project Tests
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/llvm-tests.yml b/.github/workflows/llvm-tests.yml
--- a/.github/workflows/llvm-tests.yml
+++ b/.github/workflows/llvm-tests.yml
@@ -1,5 +1,8 @@
 name: LLVM Tests
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/new-issues.yml b/.github/workflows/new-issues.yml
--- a/.github/workflows/new-issues.yml
+++ b/.github/workflows/new-issues.yml
@@ -3,8 +3,14 @@
   issues:
     types: ['opened']
 
+permissions:
+  contents: read
+
 jobs:
   automate-issues-labels:
+    permissions:
+      issues: write  # for andymckay/labeler to label issues
+      pull-requests: write  # for andymckay/labeler to label PRs
     runs-on: ubuntu-latest
     if: github.repository == 'llvm/llvm-project'
     steps:
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -1,5 +1,8 @@
 name: Release Task
 
+permissions:
+  contents: read
+
 on:
   push:
     tags:
@@ -8,6 +11,8 @@
 
 jobs:
   release-tasks:
+    permissions:
+      contents: write # To upload assets to release.
     runs-on: ubuntu-latest
     if: github.repository == 'llvm/llvm-project'
     steps:
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
--- a/.github/workflows/version-check.yml
+++ b/.github/workflows/version-check.yml
@@ -8,6 +8,9 @@
     branches:
       - 'release/**'
 
+permissions:
+  contents: read
+
 jobs:
   version_check:
     if: github.repository_owner == 'llvm'