diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml
index 103f2b2359..b94b874cc2 100644
--- a/.github/workflows/assign.yml
+++ b/.github/workflows/assign.yml
@@ -7,6 +7,9 @@ on:
     types: [created]
   workflow_dispatch:
 
+permissions:
+  issues: write
+
 jobs:
   assign:
     permissions:
diff --git a/.github/workflows/build_all.yml b/.github/workflows/build_all.yml
index 5c8e93d819..5ff7201f84 100644
--- a/.github/workflows/build_all.yml
+++ b/.github/workflows/build_all.yml
@@ -46,7 +46,10 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
-  
+
+permissions:
+  contents: write
+  checks: write
 
 jobs:
   build_linux:
@@ -183,3 +186,4 @@ jobs:
         asset_name: OrcaSlicer-Linux-flatpak_nightly_${{ matrix.variant.arch }}.flatpak
         asset_content_type: application/octet-stream
         max_releases: 1 # optional, if there are more releases than this matching the asset_name, the oldest ones are going to be deleted
+
diff --git a/.github/workflows/build_check_cache.yml b/.github/workflows/build_check_cache.yml
index a97962aa7e..1725d1ec95 100644
--- a/.github/workflows/build_check_cache.yml
+++ b/.github/workflows/build_check_cache.yml
@@ -15,7 +15,10 @@ on:
       force-build:
         required: false
         type: boolean
-  
+
+permissions:
+  actions: write
+
 jobs:
   check_cache: # determines if there is a cache and outputs variables used in caching process
     name: Check Cache
diff --git a/.github/workflows/build_deps.yml b/.github/workflows/build_deps.yml
index 0267d22302..c5ef26f3ef 100644
--- a/.github/workflows/build_deps.yml
+++ b/.github/workflows/build_deps.yml
@@ -23,6 +23,9 @@ on:
         required: false
         type: boolean
 
+permissions:
+  actions: write
+
 jobs:
   build_deps:
     name: Build Deps