3 files changed, 17 insertions, 0 deletions
diff --git a/.github/workflows/cibuild.yml b/.github/workflows/cibuild.yml
index 811537cc88..dc10ad4c41 100644
--- a/.github/workflows/cibuild.yml
+++ b/.github/workflows/cibuild.yml
@@ -14,6 +14,9 @@ on:
       - 'Documentation/**'
       - 'lib*/docs/**'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -38,6 +41,10 @@ jobs:
       - name: Make install
         run: .github/workflows/cibuild.sh INSTALL
   coveralls:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      checks: write # to create new checks (coverallsapp/github-action)
+
     runs-on: ubuntu-latest
     if: github.repository == 'util-linux/util-linux'
     env:
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 93ebc3ceaa..e4945c06a2 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -12,8 +12,15 @@ on:
       - master
     paths:
       - '**'
+permissions:
+  contents: read # to clone the repo (google/oss-fuzz/infra/cifuzz/actions/run_fuzzers)
+
 jobs:
   Fuzzing:
+    permissions:
+      actions: read # to fetch the artifacts (google/oss-fuzz/infra/cifuzz/actions/run_fuzzers)
+      contents: read # to clone the repo (google/oss-fuzz/infra/cifuzz/actions/run_fuzzers)
+
     runs-on: ubuntu-latest
     if: github.repository == 'util-linux/util-linux'
     strategy:
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index d5cf381fc0..b86c00a5c1 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -6,6 +6,9 @@ on:
     # send data to Coverity daily at midnight
     - cron:  '0 0 * * *'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   build:
     runs-on: ubuntu-latest