diff --git a/.github/workflows/check_labels.yml b/.github/workflows/check_labels.yml
index 3e99d548c39..e26945114db 100644
--- a/.github/workflows/check_labels.yml
+++ b/.github/workflows/check_labels.yml
@@ -32,6 +32,10 @@ on:
         description: "Whether to force running the jobs"
         value: ${{ jobs.check-labels.outputs.force }}
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   check-labels:
     name: Check labels
diff --git a/.github/workflows/cpp_extra.yml b/.github/workflows/cpp_extra.yml
index 612175e60f6..4b2290d0776 100644
--- a/.github/workflows/cpp_extra.yml
+++ b/.github/workflows/cpp_extra.yml
@@ -26,6 +26,7 @@ on:
       - '.dockerignore'
       - '.github/workflows/check_labels.yml'
       - '.github/workflows/cpp_extra.yml'
+      - '.github/workflows/cpp_windows.yml'
       - '.github/workflows/report_ci.yml'
       - 'ci/conda_env_*'
       - 'ci/docker/**'
@@ -47,6 +48,7 @@ on:
       - '.dockerignore'
       - '.github/workflows/check_labels.yml'
       - '.github/workflows/cpp_extra.yml'
+      - '.github/workflows/cpp_windows.yml'
       - '.github/workflows/report_ci.yml'
       - 'ci/conda_env_*'
       - 'ci/docker/**'
diff --git a/.github/workflows/cpp_windows.yml b/.github/workflows/cpp_windows.yml
index 394cd8851c3..69bbfee28b9 100644
--- a/.github/workflows/cpp_windows.yml
+++ b/.github/workflows/cpp_windows.yml
@@ -33,6 +33,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   windows:
     runs-on: ${{ inputs.os }}
diff --git a/.github/workflows/report_ci.yml b/.github/workflows/report_ci.yml
index d8315123ccf..4978162de29 100644
--- a/.github/workflows/report_ci.yml
+++ b/.github/workflows/report_ci.yml
@@ -20,6 +20,10 @@ name: Report CI results
 on:
   workflow_call:
 
+permissions:
+  actions: read
+  contents: read
+
 jobs:
   report-ci:
     runs-on: ubuntu-latest