diff --git a/.github/workflows/deflake.yaml b/.github/workflows/deflake.yaml
index 9f60b0c964..235dacd6da 100644
--- a/.github/workflows/deflake.yaml
+++ b/.github/workflows/deflake.yaml
@@ -16,6 +16,10 @@ jobs:
     if: ${{ github.event.workflow_run.conclusion == 'failure' }}
     runs-on: ubuntu-latest
 
+    permissions:
+      # "Write" to Actions to enable rerun command.
+      actions: write
+
     steps:
       - name: Check run count and re-run workflow
         env:
diff --git a/.github/workflows/selenium-lab-tests.yaml b/.github/workflows/selenium-lab-tests.yaml
index 56bf6d9b3e..5ffc9aff6c 100644
--- a/.github/workflows/selenium-lab-tests.yaml
+++ b/.github/workflows/selenium-lab-tests.yaml
@@ -145,6 +145,11 @@ jobs:
     name: Pre-build Player
     needs: compute-sha
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -209,6 +214,10 @@ jobs:
     # lab's Selenium grid on port 4444.
     runs-on: self-hosted-selenium
 
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     # Only one run of this job is allowed at a time, since it uses physical
     # resources in our lab.
     concurrency:
diff --git a/.github/workflows/update-issues.yaml b/.github/workflows/update-issues.yaml
index 0973aab532..29b6984a65 100644
--- a/.github/workflows/update-issues.yaml
+++ b/.github/workflows/update-issues.yaml
@@ -8,10 +8,6 @@ on:
     # Run every 30 minutes
     - cron: '*/30 * * * *'
 
-permissions:
-  issues: write
-  pull-requests: write
-
 jobs:
   update-issues:
     runs-on: ubuntu-latest