diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml
index 9a3f9e2ad..f8482e66b 100644
--- a/.github/workflows/actionci.yml
+++ b/.github/workflows/actionci.yml
@@ -16,6 +16,7 @@ jobs:
   actionci:
     permissions:
       contents: read
+      actions: read
       security-events: write
     uses: smallstep/workflows/.github/workflows/actionci.yml@main
     secrets: inherit
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index c0b39e0c5..b145ea969 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -2,8 +2,7 @@ name: Dependabot auto-merge
 on: pull_request
 
 permissions:
-  contents: write
-  pull-requests: write
+  pull-requests: read
 
 jobs:
   dependabot-auto-merge:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index addabe3f7..e84e7b436 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -86,7 +86,7 @@ jobs:
     needs: create_release
     permissions:
       id-token: write
-      contents: write
+      contents: read
     uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
     with:
       platforms: linux/amd64,linux/386,linux/arm,linux/arm64
@@ -100,7 +100,7 @@ jobs:
     needs: create_release
     permissions:
       id-token: write
-      contents: write
+      contents: read
     uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
     with:
       platforms: linux/amd64,linux/386,linux/arm,linux/arm64
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index 5203ce171..7a0e63253 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -11,7 +11,6 @@ on:
       - reopened
 
 permissions:
-  pull-requests: write
   issues: write
 
 jobs: