diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d2cf5ed10b6..58b5f65b02a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,11 +18,12 @@ permissions:
   packages: write
   issues: write
   pull-requests: write
-  actions: write
 
 jobs:
   lint_test_build:
     uses: ./.github/workflows/lint_test_build.yml
+    permissions:
+      contents: read
     with:
       node_version: "22"
     secrets:
@@ -31,6 +32,9 @@ jobs:
 
   pack:
     uses: ./.github/workflows/pack.yml
+    permissions:
+      contents: write
+      packages: write
     secrets:
       GCR_JSON_KEY_BASE64: ${{ secrets.GCR_JSON_KEY_BASE64 }}
     if: ${{ github.event_name == 'workflow_dispatch' }}
diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml
index 122a8e2bc52..4fdf8bf49cd 100644
--- a/.github/workflows/pack.yml
+++ b/.github/workflows/pack.yml
@@ -34,6 +34,8 @@ env:
 jobs:
   version:
     uses: ./.github/workflows/version.yml
+    permissions:
+      contents: write
     with:
       semantic_version: ${{ inputs.semantic_version }}
       dry_run: true
@@ -43,6 +45,9 @@ jobs:
       group: zitadel-public
     environment: ${{ github.ref_protected == 'true' && 'Protected' || null }}
     needs: version
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ccc3764cc8f..b68fb62a0ab 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,6 +32,8 @@ on:
 jobs:
   version:
     uses: ./.github/workflows/version.yml
+    permissions:
+      contents: write
     with:
       semantic_version: ${{ inputs.semantic_version }}
       dry_run: false