diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
index 2bf6cab0b7c..ef43bc83706 100644
--- a/.github/workflows/maintenance.yml
+++ b/.github/workflows/maintenance.yml
@@ -1,4 +1,5 @@
-name: 'Maintenance'
+name: Maintenance
+
 on:
   # So that PRs touching the same files as the push are updated
   push:
@@ -20,6 +21,9 @@ jobs:
     # We rely on other pushes to mark these branches as outdated.
     if: ${{ github.actor != 'l10nbot' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - run: echo "${{ github.actor }}"
       - name: check if prs are dirty
diff --git a/.github/workflows/issue-mark-duplicate.yml b/.github/workflows/mark-duplicate.yml
similarity index 79%
rename from .github/workflows/issue-mark-duplicate.yml
rename to .github/workflows/mark-duplicate.yml
index f375c3816d8..9692bf2e1fb 100644
--- a/.github/workflows/issue-mark-duplicate.yml
+++ b/.github/workflows/mark-duplicate.yml
@@ -1,4 +1,4 @@
-name: Issue Mark Duplicate
+name: Mark duplicate
 
 on:
   issue_comment:
@@ -7,6 +7,10 @@ on:
 jobs:
   mark-duplicate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     steps:
       - name: mark-duplicate
         uses: actions-cool/issues-helper@v3
diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml
index 40be2bbfda4..f732c9414dc 100644
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@@ -1,4 +1,4 @@
-name: No Response
+name: No response
 
 # Both `issue_comment` and `scheduled` event types are required for this Action
 # to work properly.
@@ -12,6 +12,9 @@ on:
 jobs:
   noResponse:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: lee-dohm/no-response@v0.5.0
         with:
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index 89757759ddf..6287ca1d755 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -1,4 +1,4 @@
-name: 'Release Docker images'
+name: Release Docker images
 
 on:
   workflow_dispatch:
@@ -16,6 +16,8 @@ jobs:
   docker-release:
     name: 'retag and push'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Debug
         run: |