diff --git a/.github/workflows/check-built-files.yml b/.github/workflows/check-built-files.yml
index 04510bd84809f..588ae6700d5e9 100644
--- a/.github/workflows/check-built-files.yml
+++ b/.github/workflows/check-built-files.yml
@@ -44,3 +44,5 @@ jobs:
     # This prevents an unnecessary second run after changes are committed back because Dependabot always rebases and force pushes.
     if: ${{ github.repository == 'wordpress/wordpress-develop' && ( github.actor != 'dependabot[bot]' || github.event.commits < 2 ) }}
     uses: WordPress/wordpress-develop/.github/workflows/reusable-check-built-files.yml@trunk
+    permissions:
+      contents: read
diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
index 04d5c5bf81efe..4f8bbc645aae3 100644
--- a/.github/workflows/performance.yml
+++ b/.github/workflows/performance.yml
@@ -52,7 +52,8 @@ jobs:
     name: Determine Matrix
     runs-on: ubuntu-24.04
     if: ${{ ( github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) ) && ! contains( github.event.before, '00000000' ) }}
-    permissions: {}
+    permissions:
+      actions: read
     env:
       TARGET_SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
     outputs:
diff --git a/.github/workflows/upgrade-develop-testing.yml b/.github/workflows/upgrade-develop-testing.yml
index 4ce4b6182c882..68ea5b085a299 100644
--- a/.github/workflows/upgrade-develop-testing.yml
+++ b/.github/workflows/upgrade-develop-testing.yml
@@ -56,6 +56,8 @@ jobs:
     uses: WordPress/wordpress-develop/.github/workflows/reusable-upgrade-testing.yml@trunk
     if: ${{ github.repository == 'WordPress/wordpress-develop' || ( github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' ) }}
     needs: [ build ]
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: