diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
index 5ebc73b..2ea04ff 100644
--- a/.github/workflows/conventional-commits.yml
+++ b/.github/workflows/conventional-commits.yml
@@ -4,10 +4,17 @@ on:
   pull_request:
     types: [ opened, synchronize, reopened, edited ]
 
+permissions: { }
+
 jobs:
   build:
     name: conventional commits
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: read
+      packages: read
+      statuses: write
     steps:
       - name: checkout code
         uses: actions/checkout@v3
diff --git a/.github/workflows/conventional-pull-requests.yml b/.github/workflows/conventional-pull-requests.yml
index a9ffc80..65331b2 100644
--- a/.github/workflows/conventional-pull-requests.yml
+++ b/.github/workflows/conventional-pull-requests.yml
@@ -4,10 +4,17 @@ on:
   pull_request:
     types: [ opened, synchronize, reopened, edited ]
 
+permissions: { }
+
 jobs:
   build:
     name: conventional pull requests
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: read
+      packages: read
+      statuses: write
     steps:
       - name: conventional pull requests check
         uses: ytanikin/PRConventionalCommits@1.1.0
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index f0b0d16..274d9d8 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -12,6 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      pull-requests: read
       packages: read
       statuses: write
     steps: