diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 129910fa..229cbb9f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -229,8 +229,6 @@ jobs:
     permissions:
       # required to write sarif report
       security-events: write
-      # required to check out the repository
-      contents: read
     steps:
       -
         name: Checkout
@@ -404,6 +402,9 @@ jobs:
 
   release:
     runs-on: ubuntu-24.04
+    permissions:
+      # required to create GitHub release
+      contents: write
     needs:
       - test-integration
       - test-unit
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index bcc4cad7..fe687f9a 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -21,12 +21,10 @@ env:
 
 jobs:
   codeql:
+    runs-on: ubuntu-24.04
     permissions:
       actions: read
-      contents: read
       security-events: write
-
-    runs-on: ubuntu-24.04
     steps:
       -
         name: Checkout
diff --git a/.github/workflows/docs-release.yml b/.github/workflows/docs-release.yml
index 5ac49234..f975ee0c 100644
--- a/.github/workflows/docs-release.yml
+++ b/.github/workflows/docs-release.yml
@@ -23,6 +23,9 @@ jobs:
   open-pr:
     runs-on: ubuntu-24.04
     if: ${{ (github.event.release.prerelease != true || github.event.inputs.tag != '') && github.repository == 'docker/buildx' }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       -
         name: Checkout docs repo
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 39ad0fb5..a5bff97e 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -18,10 +18,9 @@ on:
 
 jobs:
   labeler:
-    permissions:
-      contents: read
-      pull-requests: write
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       -
         name: Run