diff --git a/.github/workflows/autoroll.yml b/.github/workflows/autoroll.yml
index a33034b38..ec64d40a6 100644
--- a/.github/workflows/autoroll.yml
+++ b/.github/workflows/autoroll.yml
@@ -1,4 +1,6 @@
 name: Update dependencies
+permissions:
+  contents: read
 
 on:
   schedule:
@@ -7,6 +9,8 @@ on:
 
 jobs:
   update-dependencies:
+    permissions:
+      contents: write
     name: Update dependencies
     runs-on: ubuntu-latest
 
@@ -38,7 +42,6 @@ jobs:
             echo "changed=true" >> $GITHUB_OUTPUT
           fi
         id: update_dependencies
-     
       - name: Push changes and create PR
         if: steps.update_dependencies.outputs.changed == 'true'
         run: |
diff --git a/.github/workflows/bazel.yml b/.github/workflows/bazel.yml
index dfb5e5ae3..88700c44c 100644
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -1,4 +1,6 @@
 name: Build and Test with Bazel
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/wasm.yml b/.github/workflows/wasm.yml
index fa8951a16..62c9af384 100644
--- a/.github/workflows/wasm.yml
+++ b/.github/workflows/wasm.yml
@@ -1,4 +1,6 @@
 name: Wasm Build
+permissions:
+  contents: read
 
 on: [push, pull_request]