diff --git a/.github/workflows/header_checks.yml b/.github/workflows/header_checks.yml
index 063263e935a..6453816a320 100644
--- a/.github/workflows/header_checks.yml
+++ b/.github/workflows/header_checks.yml
@@ -13,8 +13,14 @@ on:
       - 'README.md'
       - 'RELEASE-NOTES.txt'
 
+permissions:
+  contents: read
+
 jobs:
   windows:
+    permissions:
+      actions: write  # for n1hility/cancel-previous-runs to create & stop workflow runs
+      contents: read  # for actions/checkout to fetch code
     name: Windows
     runs-on: windows-latest
 
@@ -47,6 +53,9 @@ jobs:
       run: make -j2 test-headers
 
   opencl:
+    permissions:
+      actions: write  # for n1hility/cancel-previous-runs to create & stop workflow runs
+      contents: read  # for actions/checkout to fetch code
     name: OpenCL
     runs-on: ubuntu-latest
 
@@ -64,6 +73,9 @@ jobs:
         echo "STAN_OPENCL=true" > make/local
         make -j2 test-headers
   no_range_checks:
+    permissions:
+      actions: write  # for n1hility/cancel-previous-runs to create & stop workflow runs
+      contents: read  # for actions/checkout to fetch code
     name: NoRange
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 94635289116..5efa4756d30 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -12,8 +12,14 @@ on:
       - 'LICENSE.md'
       - 'README.md'
       - 'RELEASE-NOTES.txt'
+permissions:
+  contents: read
+
 jobs:
   prim-rev:
+    permissions:
+      actions: write  # for n1hility/cancel-previous-runs to create & stop workflow runs
+      contents: read  # for actions/checkout to fetch code
     name: prim and rev tests
     runs-on: windows-latest