diff --git a/extensions/workflows/bump_version.yml b/extensions/workflows/bump_version.yml
index 7f4318dcf54ad8c9360ae622354530b2b54c6a03..28a8654adfa4cff9464cb51009440487849b8eab 100644
--- a/extensions/workflows/bump_version.yml
+++ b/extensions/workflows/bump_version.yml
@@ -40,6 +40,10 @@ jobs:
     needs:
     - determine_bump_type
     if: github.event.action != 'labeled' || needs.determine_bump_type.outputs.bump_type != 'patch'
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     uses: zed-industries/zed/.github/workflows/extension_bump.yml@main
     secrets:
       app-id: ${{ secrets.ZED_ZIPPY_APP_ID }}
diff --git a/extensions/workflows/release_version.yml b/extensions/workflows/release_version.yml
index f752931917292110580a74198d3e1231098539db..623ec04fde43d2c7797c30f22ff05e147154b547 100644
--- a/extensions/workflows/release_version.yml
+++ b/extensions/workflows/release_version.yml
@@ -7,6 +7,9 @@ on:
     - v**
 jobs:
   call_release_version:
+    permissions:
+      contents: write
+      pull-requests: write
     uses: zed-industries/zed/.github/workflows/extension_release.yml@main
     secrets:
       app-id: ${{ secrets.ZED_ZIPPY_APP_ID }}
diff --git a/extensions/workflows/run_tests.yml b/extensions/workflows/run_tests.yml
index 81ba76c483479ed827f0a91181557a2387b40722..60fa9f7d0fd3a416ffabc2d9d7c7da22661c7a19 100644
--- a/extensions/workflows/run_tests.yml
+++ b/extensions/workflows/run_tests.yml
@@ -10,6 +10,8 @@ on:
     - main
 jobs:
   call_extension_tests:
+    permissions:
+      contents: read
     uses: zed-industries/zed/.github/workflows/extension_tests.yml@main
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.ref_name == 'main' && github.sha || 'anysha' }}pr
diff --git a/tooling/xtask/src/tasks/workflows/extensions/bump_version.rs b/tooling/xtask/src/tasks/workflows/extensions/bump_version.rs
index 1564fef448fc305897b9edcd64245255b8e0b168..f0aae59b154f44b6c0bd7ea6014a47183a596df4 100644
--- a/tooling/xtask/src/tasks/workflows/extensions/bump_version.rs
+++ b/tooling/xtask/src/tasks/workflows/extensions/bump_version.rs
@@ -1,6 +1,6 @@
 use gh_workflow::{
-    Event, Expression, Input, Job, PullRequest, PullRequestType, Push, Run, Step, UsesJob,
-    Workflow, WorkflowDispatch,
+    Event, Expression, Input, Job, Level, Permissions, PullRequest, PullRequestType, Push, Run,
+    Step, UsesJob, Workflow, WorkflowDispatch,
 };
 use indexmap::IndexMap;
 use indoc::indoc;
@@ -40,6 +40,12 @@ pub(crate) fn call_bump_version(
             "github.event.action != 'labeled' || {} != 'patch'",
             bump_type.expr()
         )))
+        .permissions(
+            Permissions::default()
+                .contents(Level::Write)
+                .issues(Level::Write)
+                .pull_requests(Level::Write),
+        )
         .uses(
             "zed-industries",
             "zed",
diff --git a/tooling/xtask/src/tasks/workflows/extensions/release_version.rs b/tooling/xtask/src/tasks/workflows/extensions/release_version.rs
index ebeb6959a97d672abeaa151c124e48008ddf9e05..77c97d33c6171f3c09addb16dd834d4acbfcf63d 100644
--- a/tooling/xtask/src/tasks/workflows/extensions/release_version.rs
+++ b/tooling/xtask/src/tasks/workflows/extensions/release_version.rs
@@ -1,4 +1,4 @@
-use gh_workflow::{Event, Job, Push, UsesJob, Workflow};
+use gh_workflow::{Event, Job, Level, Permissions, Push, UsesJob, Workflow};
 
 use crate::tasks::workflows::{
     extensions::WithAppSecrets,
@@ -14,6 +14,11 @@ pub(crate) fn release_version() -> Workflow {
 
 pub(crate) fn call_release_version() -> NamedJob<UsesJob> {
     let job = Job::default()
+        .permissions(
+            Permissions::default()
+                .contents(Level::Write)
+                .pull_requests(Level::Write),
+        )
         .uses(
             "zed-industries",
             "zed",
diff --git a/tooling/xtask/src/tasks/workflows/extensions/run_tests.rs b/tooling/xtask/src/tasks/workflows/extensions/run_tests.rs
index 885a8fd09fe0488c92162a9bccd0f70ed6c7fefd..0c0ca696612fa57903f35c0ea69404f5dc7d1fe0 100644
--- a/tooling/xtask/src/tasks/workflows/extensions/run_tests.rs
+++ b/tooling/xtask/src/tasks/workflows/extensions/run_tests.rs
@@ -1,4 +1,4 @@
-use gh_workflow::{Event, Job, PullRequest, Push, UsesJob, Workflow};
+use gh_workflow::{Event, Job, Level, Permissions, PullRequest, Push, UsesJob, Workflow};
 
 use crate::tasks::workflows::{
     steps::{NamedJob, named},
@@ -16,12 +16,14 @@ pub(crate) fn run_tests() -> Workflow {
 }
 
 pub(crate) fn call_extension_tests() -> NamedJob<UsesJob> {
-    let job = Job::default().uses(
-        "zed-industries",
-        "zed",
-        ".github/workflows/extension_tests.yml",
-        "main",
-    );
+    let job = Job::default()
+        .permissions(Permissions::default().contents(Level::Read))
+        .uses(
+            "zed-industries",
+            "zed",
+            ".github/workflows/extension_tests.yml",
+            "main",
+        );
 
     named::job(job)
 }