diff --git a/.github/workflows/add-discuss-during-sync.yml b/.github/workflows/add-discuss-during-sync.yml
index 46d3f13..f04f2e1 100644
--- a/.github/workflows/add-discuss-during-sync.yml
+++ b/.github/workflows/add-discuss-during-sync.yml
@@ -18,6 +18,9 @@ on:
     types:
       - submitted
 
+permissions:
+  pull-requests: write
+
 jobs:
   add-label:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/changelog-bot.yml b/.github/workflows/changelog-bot.yml
index aede2f3..4149ba4 100644
--- a/.github/workflows/changelog-bot.yml
+++ b/.github/workflows/changelog-bot.yml
@@ -9,6 +9,11 @@ on:
     paths-ignore:
       - CHANGELOG.md
 
+permissions:
+  packages: read
+  pull-requests: read
+  contents: write
+
 jobs:
   changelog-bot:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint-action-workflows.yml b/.github/workflows/lint-action-workflows.yml
index ed595c4..5ef3173 100644
--- a/.github/workflows/lint-action-workflows.yml
+++ b/.github/workflows/lint-action-workflows.yml
@@ -6,6 +6,9 @@ concurrency:
   group: lint-actions-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  packages: read
+
 jobs:
   lint:
     name: Lint
@@ -14,6 +17,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4.1.1
       - name: Check workflow files
-        uses: docker://ghcr.io/ponylang/shared-docker-ci-actionlint:20241206
+        uses: docker://ghcr.io/ponylang/shared-docker-ci-actionlint:20250119
         with:
           args: -color
diff --git a/.github/workflows/release-notes-reminder.yml b/.github/workflows/release-notes-reminder.yml
index ba3c0cd..9ee3644 100644
--- a/.github/workflows/release-notes-reminder.yml
+++ b/.github/workflows/release-notes-reminder.yml
@@ -2,7 +2,12 @@ name: Release Notes Reminder
 
 on:
   pull_request_target:
-    types: [labeled]
+    types:
+      - labeled
+
+permissions:
+  packages: read
+  pull-requests: write
 
 jobs:
   release-note-reminder:
diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml
index 0f9e100..120fbf7 100644
--- a/.github/workflows/release-notes.yml
+++ b/.github/workflows/release-notes.yml
@@ -12,6 +12,7 @@ on:
 
 permissions:
   packages: read
+  pull-requests: read
   contents: write
 
 jobs:
diff --git a/.github/workflows/remove-discuss-during-sync.yml b/.github/workflows/remove-discuss-during-sync.yml
index c4d7d6d..bab8a12 100644
--- a/.github/workflows/remove-discuss-during-sync.yml
+++ b/.github/workflows/remove-discuss-during-sync.yml
@@ -8,6 +8,9 @@ on:
     types:
       - closed
 
+permissions:
+  pull-requests: write
+
 jobs:
   remove-label:
     runs-on: ubuntu-latest