diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index 42d24ec32..5b66cf664 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -6,6 +6,11 @@ on:
       - created
   pull_request_target:
 
+permissions:
+  contents: read
+  pull-requests: write
+  statuses: write
+
 jobs:
   check:
     if: >-
diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml
index 573ef0f37..a7baf6dc5 100644
--- a/.github/workflows/issues.yml
+++ b/.github/workflows/issues.yml
@@ -6,6 +6,10 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+  issues: write
+
 env:
   FEEDBACK_LBL: pending::feedback
   SUPPORT_LBL: pending::support
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index b0db246f0..cdfbf9ce1 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -15,15 +15,23 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     if: '!github.event.repository.fork'
     runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      issues: write
     env:
       GLOBAL: https://raw.githubusercontent.com/conda/infra/main/.github/global.yml
       LOCAL: .github/labels.yml
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - id: has_local
         uses: andstor/file-existence-action@558493d6c74bf472d87c84eab196434afc2fa029 # v3.1.0
diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml
index ae0bb89ea..968474b6f 100644
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@@ -5,6 +5,9 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   add_to_project:
     if: '!github.event.repository.fork'
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index f08bef854..684997576 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -12,6 +12,9 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+
 jobs:
   update:
     if: >-
@@ -29,6 +32,10 @@ jobs:
         )
       )
     runs-on: ubuntu-slim
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
     steps:
       - if: github.event_name == 'issue_comment'
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
@@ -40,9 +47,11 @@ jobs:
 
       - if: github.event.comment.body == '@conda-bot render'
         name: Configure git origin
+        env:
+          PR_API_URL: ${{ github.event.issue.pull_request.url }}
         run: |
-          echo REPOSITORY=$(curl --silent ${{ github.event.issue.pull_request.url }} | jq --raw-output '.head.repo.full_name') >> $GITHUB_ENV
-          echo REF=$(curl --silent ${{ github.event.issue.pull_request.url }} | jq --raw-output '.head.ref') >> $GITHUB_ENV
+          echo REPOSITORY=$(curl --silent "$PR_API_URL" | jq --raw-output '.head.repo.full_name') >> $GITHUB_ENV
+          echo REF=$(curl --silent "$PR_API_URL" | jq --raw-output '.head.ref') >> $GITHUB_ENV
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: