diff --git a/.github/workflows/compile-examples.yml b/.github/workflows/compile-examples.yml
index 51f2fe7c1..4ff26836a 100644
--- a/.github/workflows/compile-examples.yml
+++ b/.github/workflows/compile-examples.yml
@@ -23,6 +23,7 @@ on:
 jobs:
   compile-test:
     runs-on: ubuntu-latest
+    permissions: {}
 
     env:
       # sketch paths to compile (recursive) for all boards
diff --git a/.github/workflows/report-size-deltas.yml b/.github/workflows/report-size-deltas.yml
index 4a7c2ba20..bd38b2492 100644
--- a/.github/workflows/report-size-deltas.yml
+++ b/.github/workflows/report-size-deltas.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   report:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
 
     steps:
       - name: Comment size deltas reports to PRs
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 3a330c127..69c9ed4b3 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -24,6 +24,8 @@ env:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -55,6 +57,7 @@ jobs:
   download:
     needs: check
     runs-on: ubuntu-latest
+    permissions: {}
 
     strategy:
       matrix:
@@ -81,6 +84,9 @@ jobs:
   sync:
     needs: download
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
 
     steps:
       - name: Set environment variables