diff --git a/.github/workflows/actions_template_sync.yml b/.github/workflows/actions_template_sync.yml
index 2aff5eca..7e8b6c23 100644
--- a/.github/workflows/actions_template_sync.yml
+++ b/.github/workflows/actions_template_sync.yml
@@ -10,6 +10,9 @@ on:
 jobs:
   repo-sync:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
 
     steps:
       # To use this repository's private action, you must check out the repository
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 96f73752..3a2dfcf8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,6 +13,9 @@ jobs:
   call_test_all:
     uses: ./.github/workflows/test_all.yml
     secrets: inherit
+    permissions:
+      contents: write
+      pull-requests: write
   call_release_please:
     needs:
       - call_shellcheck
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 73776b36..423838c5 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,7 +11,9 @@ on:
 jobs:
   test-implementation-job:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       # To use this repository's private action, you must check out the repository
       - name: Checkout
diff --git a/.github/workflows/test_all.yml b/.github/workflows/test_all.yml
index 81618da3..d044ac5d 100644
--- a/.github/workflows/test_all.yml
+++ b/.github/workflows/test_all.yml
@@ -12,12 +12,24 @@ jobs:
   call_test_hooks:
     uses: ./.github/workflows/test_hooks.yml
     secrets: inherit
+    permissions:
+      contents: write
+      pull-requests: write
   call_test_ssh_gitlab:
     uses: ./.github/workflows/test_ssh_gitlab.yml
     secrets: inherit
+    permissions:
+      contents: write
+      pull-requests: write
   call_test_ssh:
     uses: ./.github/workflows/test_ssh.yml
     secrets: inherit
+    permissions:
+      contents: write
+      pull-requests: write
   call_test:
     uses: ./.github/workflows/test.yml
     secrets: inherit
+    permissions:
+      contents: write
+      pull-requests: write
diff --git a/.github/workflows/test_hooks.yml b/.github/workflows/test_hooks.yml
index 85025b7c..478fd715 100644
--- a/.github/workflows/test_hooks.yml
+++ b/.github/workflows/test_hooks.yml
@@ -11,7 +11,9 @@ on:
 jobs:
   test-implementation-job:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       # To use this repository's private action, you must check out the repository
       - name: Checkout
diff --git a/.github/workflows/test_ssh.yml b/.github/workflows/test_ssh.yml
index 237093d7..a1fa6516 100644
--- a/.github/workflows/test_ssh.yml
+++ b/.github/workflows/test_ssh.yml
@@ -11,7 +11,9 @@ on:
 jobs:
   test-implementation-job:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       # To use this repository's private action, you must check out the repository
       - name: Checkout
diff --git a/.github/workflows/test_ssh_gitlab.yml b/.github/workflows/test_ssh_gitlab.yml
index f8f5bbcd..b704158e 100644
--- a/.github/workflows/test_ssh_gitlab.yml
+++ b/.github/workflows/test_ssh_gitlab.yml
@@ -11,7 +11,9 @@ on:
 jobs:
   test-implementation-job:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       # To use this repository's private action, you must check out the repository
       - name: Checkout
diff --git a/README.md b/README.md
index 42171d7d..3c798748 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,10 @@ on:
 jobs:
   repo-sync:
     runs-on: ubuntu-latest
+    # https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+    permissions:
+      contents: write
+      pull-requests: write
 
     steps:
       # To use this repository's private action, you must check out the repository
@@ -89,9 +93,6 @@ jobs:
 
       - name: actions-template-sync
         uses: AndreasAugustin/actions-template-sync@v1.1.8
-        permissions:
-          content: write
-          pull-requests: write
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           source_repo_path: <owner/repo>
@@ -152,6 +153,10 @@ It is also possible to use a different git provider, e.g. GitLab.
 jobs:
   repo-sync:
     runs-on: ubuntu-latest
+    # https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+    permissions:
+      contents: write
+      pull-requests: write
 
     steps:
       # To use this repository's private action, you must check out the repository
@@ -162,9 +167,6 @@ jobs:
 
       - name: actions-template-sync
         uses: AndreasAugustin/actions-template-sync@v1.1.8
-        permissions:
-          content: write
-          pull-requests: write
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           source_repo_path: ${{ secrets.SOURCE_REPO_PATH }} # <owner/repo>, should be within secrets