diff --git a/.github/workflows/module-release.yml b/.github/workflows/module-release.yml
index e773ee27..09be3dec 100644
--- a/.github/workflows/module-release.yml
+++ b/.github/workflows/module-release.yml
@@ -44,9 +44,13 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   prepare-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read       # checkout repository to detect module changes and list modules
     outputs:
       modules: ${{ steps.get-modules.outputs.modules }}
     steps:
@@ -104,6 +108,9 @@ jobs:
     needs: prepare-release
     runs-on: ubuntu-latest
     if: needs.prepare-release.outputs.modules && needs.prepare-release.result == 'success'
+    permissions:
+      contents: write      # create GitHub release, push tags, push branch for module-path PR
+      pull-requests: write # create PR for module path update (v2+ scenario)
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 020571cf..7515c497 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,9 +41,14 @@ on:
         description: 'Version tag produced by the release job'
         value: ${{ jobs.release.outputs.released_version }}
 
+permissions: {}
+
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write      # create GitHub release, upload release asset, push branch for module-path PR
+      pull-requests: write # create PR for module path update (v2+ scenario)
     outputs:
       released_version: ${{ steps.version.outputs.next_version }}
       core_changed: ${{ steps.detect.outputs.core_changed }}
@@ -440,6 +445,11 @@ jobs:
   bump-modules:
     needs: release
     if: needs.release.result == 'success' && needs.release.outputs.core_changed == 'true' && inputs.skipModuleBump != true
+    permissions:
+      contents: write      # callee (auto-bump-modules) commits, pushes branch, merges PR
+      pull-requests: write # callee creates and merges the bump PR
+      actions: read        # callee reads workflow run status
+      checks: write        # callee writes check results
     uses: ./.github/workflows/auto-bump-modules.yml
     with:
       coreVersion: ${{ needs.release.outputs.released_version }}