diff --git a/.github/workflows/extension_bump.yml b/.github/workflows/extension_bump.yml
index 31676e5c914719a34f8b2e61193475ed107cd2db..6d41aeecc173edc9b5b54db1e109bbd70f2a6436 100644
--- a/.github/workflows/extension_bump.yml
+++ b/.github/workflows/extension_bump.yml
@@ -66,7 +66,7 @@ jobs:
     if: |-
       (github.repository_owner == 'zed-industries' || github.repository_owner == 'zed-extensions') &&
       (inputs.force-bump == 'true' || needs.check_bump_needed.outputs.needs_bump == 'true')
-    runs-on: namespace-profile-8x16-ubuntu-2204
+    runs-on: namespace-profile-2x4-ubuntu-2404
     steps:
     - id: generate-token
       name: extension_bump::generate_token
@@ -119,7 +119,7 @@ jobs:
     needs:
     - check_bump_needed
     if: (github.repository_owner == 'zed-industries' || github.repository_owner == 'zed-extensions') && github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.check_bump_needed.outputs.needs_bump == 'false'
-    runs-on: namespace-profile-8x16-ubuntu-2204
+    runs-on: namespace-profile-2x4-ubuntu-2404
     steps:
     - id: generate-token
       name: extension_bump::generate_token
diff --git a/.github/workflows/extension_release.yml b/.github/workflows/extension_release.yml
index 5212a79c3e55637aa932be62aea0a626af545a7c..557d056d01fd6bd7217c24e7fc90a68905e28a36 100644
--- a/.github/workflows/extension_release.yml
+++ b/.github/workflows/extension_release.yml
@@ -13,7 +13,7 @@ on:
 jobs:
   create_release:
     if: (github.repository_owner == 'zed-industries' || github.repository_owner == 'zed-extensions')
-    runs-on: namespace-profile-8x16-ubuntu-2204
+    runs-on: namespace-profile-2x4-ubuntu-2404
     steps:
     - id: generate-token
       name: extension_bump::generate_token
diff --git a/extensions/workflows/bump_version.yml b/extensions/workflows/bump_version.yml
index 7f4318dcf54ad8c9360ae622354530b2b54c6a03..49aca672e257362247411624903851d286197365 100644
--- a/extensions/workflows/bump_version.yml
+++ b/extensions/workflows/bump_version.yml
@@ -13,7 +13,9 @@ on:
   workflow_dispatch: {}
 jobs:
   determine_bump_type:
-    runs-on: namespace-profile-16x32-ubuntu-2204
+    if: (github.repository_owner == 'zed-industries' || github.repository_owner == 'zed-extensions')
+    runs-on: namespace-profile-2x4-ubuntu-2404
+    permissions: {}
     steps:
     - id: get-bump-type
       name: extensions::bump_version::get_bump_type
@@ -40,6 +42,11 @@ jobs:
     needs:
     - determine_bump_type
     if: github.event.action != 'labeled' || needs.determine_bump_type.outputs.bump_type != 'patch'
+    permissions:
+      actions: write
+      contents: write
+      issues: write
+      pull-requests: write
     uses: zed-industries/zed/.github/workflows/extension_bump.yml@main
     secrets:
       app-id: ${{ secrets.ZED_ZIPPY_APP_ID }}
diff --git a/extensions/workflows/release_version.yml b/extensions/workflows/release_version.yml
index f752931917292110580a74198d3e1231098539db..623ec04fde43d2c7797c30f22ff05e147154b547 100644
--- a/extensions/workflows/release_version.yml
+++ b/extensions/workflows/release_version.yml
@@ -7,6 +7,9 @@ on:
     - v**
 jobs:
   call_release_version:
+    permissions:
+      contents: write
+      pull-requests: write
     uses: zed-industries/zed/.github/workflows/extension_release.yml@main
     secrets:
       app-id: ${{ secrets.ZED_ZIPPY_APP_ID }}
diff --git a/extensions/workflows/run_tests.yml b/extensions/workflows/run_tests.yml
index 81ba76c483479ed827f0a91181557a2387b40722..60fa9f7d0fd3a416ffabc2d9d7c7da22661c7a19 100644
--- a/extensions/workflows/run_tests.yml
+++ b/extensions/workflows/run_tests.yml
@@ -10,6 +10,8 @@ on:
     - main
 jobs:
   call_extension_tests:
+    permissions:
+      contents: read
     uses: zed-industries/zed/.github/workflows/extension_tests.yml@main
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.ref_name == 'main' && github.sha || 'anysha' }}pr
diff --git a/tooling/xtask/src/tasks/workflows/extension_bump.rs b/tooling/xtask/src/tasks/workflows/extension_bump.rs
index 8772011a2d1f48550095a916ab516cc98ac2d1f7..eac25ffbaf5ef806beab89999b6457504a8d1bd8 100644
--- a/tooling/xtask/src/tasks/workflows/extension_bump.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_bump.rs
@@ -107,7 +107,7 @@ fn create_version_label(
             "{DEFAULT_REPOSITORY_OWNER_GUARD} && github.event_name == 'push' && github.ref == 'refs/heads/main' && {} == 'false'",
             needs_bump.expr(),
         )))
-        .runs_on(runners::LINUX_LARGE)
+        .runs_on(runners::LINUX_SMALL)
         .timeout_minutes(1u32)
         .add_step(generate_token)
         .add_step(steps::checkout_repo())
@@ -190,7 +190,7 @@ fn bump_extension_version(
             force_bump.expr(),
             needs_bump.expr(),
         )))
-        .runs_on(runners::LINUX_LARGE)
+        .runs_on(runners::LINUX_SMALL)
         .timeout_minutes(1u32)
         .add_step(generate_token)
         .add_step(steps::checkout_repo())
diff --git a/tooling/xtask/src/tasks/workflows/extension_release.rs b/tooling/xtask/src/tasks/workflows/extension_release.rs
index c55fed0cb8a0959923be79a55f0397d6190453e4..2344495661ca523f570dc2f7a0c95039082bb5ce 100644
--- a/tooling/xtask/src/tasks/workflows/extension_release.rs
+++ b/tooling/xtask/src/tasks/workflows/extension_release.rs
@@ -33,7 +33,7 @@ fn create_release(app_id: &WorkflowSecret, app_secret: &WorkflowSecret) -> Named
 
     let job = Job::default()
         .with_repository_owner_guard()
-        .runs_on(runners::LINUX_LARGE)
+        .runs_on(runners::LINUX_SMALL)
         .add_step(generate_token)
         .add_step(checkout_repo())
         .add_step(get_extension_id)
diff --git a/tooling/xtask/src/tasks/workflows/extensions/bump_version.rs b/tooling/xtask/src/tasks/workflows/extensions/bump_version.rs
index 1564fef448fc305897b9edcd64245255b8e0b168..77a33e079eac9d10544bf4b7a4f19dd4033f89dd 100644
--- a/tooling/xtask/src/tasks/workflows/extensions/bump_version.rs
+++ b/tooling/xtask/src/tasks/workflows/extensions/bump_version.rs
@@ -1,13 +1,13 @@
 use gh_workflow::{
-    Event, Expression, Input, Job, PullRequest, PullRequestType, Push, Run, Step, UsesJob,
-    Workflow, WorkflowDispatch,
+    Event, Expression, Input, Job, Level, Permissions, PullRequest, PullRequestType, Push, Run,
+    Step, UsesJob, Workflow, WorkflowDispatch,
 };
 use indexmap::IndexMap;
 use indoc::indoc;
 
 use crate::tasks::workflows::{
     runners,
-    steps::{NamedJob, named},
+    steps::{CommonJobConditions, NamedJob, named},
     vars::{self, JobOutput, StepOutput, one_workflow_per_non_main_branch_and_token},
 };
 
@@ -40,6 +40,13 @@ pub(crate) fn call_bump_version(
             "github.event.action != 'labeled' || {} != 'patch'",
             bump_type.expr()
         )))
+        .permissions(
+            Permissions::default()
+                .contents(Level::Write)
+                .issues(Level::Write)
+                .pull_requests(Level::Write)
+                .actions(Level::Write),
+        )
         .uses(
             "zed-industries",
             "zed",
@@ -66,7 +73,9 @@ pub(crate) fn call_bump_version(
 fn determine_bump_type() -> (NamedJob, StepOutput) {
     let (get_bump_type, output) = get_bump_type();
     let job = Job::default()
-        .runs_on(runners::LINUX_DEFAULT)
+        .with_repository_owner_guard()
+        .permissions(Permissions::default())
+        .runs_on(runners::LINUX_SMALL)
         .add_step(get_bump_type)
         .outputs([(output.name.to_owned(), output.to_string())]);
     (named::job(job), output)
diff --git a/tooling/xtask/src/tasks/workflows/extensions/release_version.rs b/tooling/xtask/src/tasks/workflows/extensions/release_version.rs
index ebeb6959a97d672abeaa151c124e48008ddf9e05..77c97d33c6171f3c09addb16dd834d4acbfcf63d 100644
--- a/tooling/xtask/src/tasks/workflows/extensions/release_version.rs
+++ b/tooling/xtask/src/tasks/workflows/extensions/release_version.rs
@@ -1,4 +1,4 @@
-use gh_workflow::{Event, Job, Push, UsesJob, Workflow};
+use gh_workflow::{Event, Job, Level, Permissions, Push, UsesJob, Workflow};
 
 use crate::tasks::workflows::{
     extensions::WithAppSecrets,
@@ -14,6 +14,11 @@ pub(crate) fn release_version() -> Workflow {
 
 pub(crate) fn call_release_version() -> NamedJob<UsesJob> {
     let job = Job::default()
+        .permissions(
+            Permissions::default()
+                .contents(Level::Write)
+                .pull_requests(Level::Write),
+        )
         .uses(
             "zed-industries",
             "zed",
diff --git a/tooling/xtask/src/tasks/workflows/extensions/run_tests.rs b/tooling/xtask/src/tasks/workflows/extensions/run_tests.rs
index 885a8fd09fe0488c92162a9bccd0f70ed6c7fefd..0c0ca696612fa57903f35c0ea69404f5dc7d1fe0 100644
--- a/tooling/xtask/src/tasks/workflows/extensions/run_tests.rs
+++ b/tooling/xtask/src/tasks/workflows/extensions/run_tests.rs
@@ -1,4 +1,4 @@
-use gh_workflow::{Event, Job, PullRequest, Push, UsesJob, Workflow};
+use gh_workflow::{Event, Job, Level, Permissions, PullRequest, Push, UsesJob, Workflow};
 
 use crate::tasks::workflows::{
     steps::{NamedJob, named},
@@ -16,12 +16,14 @@ pub(crate) fn run_tests() -> Workflow {
 }
 
 pub(crate) fn call_extension_tests() -> NamedJob<UsesJob> {
-    let job = Job::default().uses(
-        "zed-industries",
-        "zed",
-        ".github/workflows/extension_tests.yml",
-        "main",
-    );
+    let job = Job::default()
+        .permissions(Permissions::default().contents(Level::Read))
+        .uses(
+            "zed-industries",
+            "zed",
+            ".github/workflows/extension_tests.yml",
+            "main",
+        );
 
     named::job(job)
 }