diff --git a/.github/workflows/check_changelogs.yml b/.github/workflows/check_changelogs.yml
index 9b39233dd8..02b57a5e36 100644
--- a/.github/workflows/check_changelogs.yml
+++ b/.github/workflows/check_changelogs.yml
@@ -2,6 +2,10 @@ name: Check changelog entries
 
 on:
   pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   check-changelogs:
diff --git a/.github/workflows/gpu_test.yml b/.github/workflows/gpu_test.yml
index 337a2d2578..c474485dc0 100644
--- a/.github/workflows/gpu_test.yml
+++ b/.github/workflows/gpu_test.yml
@@ -13,6 +13,9 @@ on:
 env:
   LD_LIBRARY_PATH: /usr/local/cuda/extras/CUPTI/lib64:/usr/local/cuda/lib64
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/hypothesis.yaml b/.github/workflows/hypothesis.yaml
index d8a0acdfd4..1ec6b4806d 100644
--- a/.github/workflows/hypothesis.yaml
+++ b/.github/workflows/hypothesis.yaml
@@ -9,6 +9,9 @@ on:
     - cron: "0 0 * * *" # Daily “At 00:00” UTC
   workflow_dispatch: # allows you to trigger manually
 
+permissions:
+  contents: read
+
 env:
   FORCE_COLOR: 3
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index cc76093694..0050b2f06a 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,6 +7,9 @@ on:
     branches: [main, 3.1.x]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/needs_release_notes.yml b/.github/workflows/needs_release_notes.yml
index d789a926a2..b7b467d790 100644
--- a/.github/workflows/needs_release_notes.yml
+++ b/.github/workflows/needs_release_notes.yml
@@ -1,7 +1,8 @@
 name: "Pull Request Labeler"
 
 on:
-  - pull_request_target
+  - pull_request_target:
+      types: [opened, reopened, synchronize]
 
 jobs:
   labeler:
diff --git a/.github/workflows/nightly_wheels.yml b/.github/workflows/nightly_wheels.yml
index 82a8676834..834d563722 100644
--- a/.github/workflows/nightly_wheels.yml
+++ b/.github/workflows/nightly_wheels.yml
@@ -6,6 +6,9 @@ on:
     - cron: '0 2 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build_and_upload_nightly:
     name: Build and upload nightly wheels
diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
index 054bc00e45..e3e3c446fa 100644
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@@ -1,6 +1,14 @@
 name: Wheels
 
-on: [push, pull_request]
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index bd6a3a91a7..5af29c960e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,6 +10,9 @@ on:
     branches: [ main, 3.1.x ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -150,4 +153,4 @@ jobs:
           contains(needs.*.result, 'cancelled')
         run: exit 1
       - name: Success
-        run: echo Success!
\ No newline at end of file
+        run: echo Success!