diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index 999dfc79..a0980cab 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+# No GITHUB_TOKEN permissions, because we use AUTOMERGE_TOKEN instead.
+permissions: {}
+
 jobs:
   auto-merge:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index ec390fb6..1ef8f5bd 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+# No GITHUB_TOKEN permissions, because we don't use it.
+permissions: {}
+
 env:
   MDN_SETTINGS: .settings.test.toml
 
diff --git a/.github/workflows/idle.yml b/.github/workflows/idle.yml
index 45bb1cef..f8d69b25 100644
--- a/.github/workflows/idle.yml
+++ b/.github/workflows/idle.yml
@@ -4,6 +4,12 @@ on:
   schedule:
     - cron: "0 8 * * *"
 
+permissions:
+  # Label issues.
+  issues: write
+  # Label pull requests.
+  pull-requests: write
+
 jobs:
   mark-as-idle:
     uses: mdn/workflows/.github/workflows/idle.yml@main
diff --git a/.github/workflows/pr-needs-rebase.yml b/.github/workflows/pr-needs-rebase.yml
index 6a85137e..eded05fd 100644
--- a/.github/workflows/pr-needs-rebase.yml
+++ b/.github/workflows/pr-needs-rebase.yml
@@ -5,6 +5,10 @@ on:
   pull_request_target:
     types: [synchronize]
 
+permissions:
+  # Label pull requests.
+  pull-requests: write
+
 jobs:
   label-rebase-needed:
     uses: mdn/workflows/.github/workflows/pr-rebase-needed.yml@main
diff --git a/.github/workflows/welcome-bot.yml b/.github/workflows/welcome-bot.yml
deleted file mode 100644
index 3e8d8660..00000000
--- a/.github/workflows/welcome-bot.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-name: "AlloAllo"
-
-on:
-  issues:
-    types:
-      - opened
-  pull_request_target:
-    branches:
-      - main
-    types:
-      - opened
-      - closed
-
-jobs:
-  allo-allo:
-    uses: mdn/workflows/.github/workflows/allo-allo.yml@main
-    with:
-      target-repo: "mdn/rumba"
-      issue-welcome: |
-        It looks like this is your first issue. Welcome! 👋
-        One of the project maintainers will be with you as soon as possible. We
-        appreciate your patience. To safeguard the health of the project, please
-        take a moment to read our [code of conduct](../blob/main/CODE_OF_CONDUCT.md).
-      pr-welcome: |
-        It looks like this is your first pull request. 🎉
-        Thank you for your contribution! One of the project maintainers will triage
-        and assign the pull request for review. We appreciate your patience. To
-        safeguard the health of the project, please take a moment to read our
-        [code of conduct](../blob/main/CODE_OF_CONDUCT.md).
-      pr-merged: |
-        Congratulations on your first merged pull request. 🎉 Thank you for your contribution!
-        Did you know we have a [project board](https://github.com/orgs/mdn/projects/25) with high-impact contribution opportunities?
-        We look forward to your next contribution.