diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml
index 1befea5cc6b1..89e62c3c5272 100644
--- a/.github/workflows/changelog.yaml
+++ b/.github/workflows/changelog.yaml
@@ -5,6 +5,7 @@ on:
     tags:
       - v*
       - "!v0.0.0"
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/dependabot-reviewer.yml b/.github/workflows/dependabot-reviewer.yml
index 0dfb799f0e6a..07ef5380b261 100644
--- a/.github/workflows/dependabot-reviewer.yml
+++ b/.github/workflows/dependabot-reviewer.yml
@@ -9,8 +9,8 @@ jobs:
   review:
     if: ${{ github.actor == 'dependabot[bot]' && github.repository == 'argoproj/argo-workflows'}}
     permissions:
-      pull-requests: write
-      contents: write
+      pull-requests: write # for approving a PR
+      contents: write # for enabling auto-merge on a PR
     runs-on: ubuntu-latest
     steps:
       - name: Dependabot metadata
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index a7bdc95e022d..c2fca301c51a 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -13,11 +13,13 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for publishing the docs to GH Pages
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 806f0185412e..794612b92600 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -8,6 +8,9 @@ on:
       - reopened
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   title-check:
     runs-on: ubuntu-latest