diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..34903e4
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @temporalio/server
\ No newline at end of file
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 3e5c2e8..9eb003f 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,5 +1,6 @@
 name: Publish Docker image
-
+permissions:
+  contents: read
 on:
   push:
     branches:
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index 0dd8c84..123acb1 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -1,4 +1,6 @@
 name: goreleaser
+permissions:
+  contents: write
 on:
   release:
     types:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 2a6de2d..a2df6a7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,6 @@
 name: Test
-
+permissions:
+  contents: read
 on:
   push:
     branches: [main]
diff --git a/.github/workflows/trigger-publish.yml b/.github/workflows/trigger-publish.yml
index 1448274..b70913b 100644
--- a/.github/workflows/trigger-publish.yml
+++ b/.github/workflows/trigger-publish.yml
@@ -1,5 +1,6 @@
 name: 'Trigger Docker image build'
-
+permissions:
+  contents: read
 on:
   push:
     branches: