diff --git a/.github/workflows/build-syncthing.yaml b/.github/workflows/build-syncthing.yaml
index 679065bba..66d699f9a 100644
--- a/.github/workflows/build-syncthing.yaml
+++ b/.github/workflows/build-syncthing.yaml
@@ -9,6 +9,11 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+
 env:
   # The go version to use for builds. We set check-latest to true when
   # installing, so we get the latest patch version that matches the
@@ -1020,6 +1025,7 @@ jobs:
       VERSION: ${{ needs.facts.outputs.version }}
       RELEASE_KIND: ${{ needs.facts.outputs.release-kind }}
     strategy:
+      fail-fast: false
       matrix:
         pkg:
           - syncthing
diff --git a/.github/workflows/mirrors.yaml b/.github/workflows/mirrors.yaml
index 99eb472ec..c5f9aabe4 100644
--- a/.github/workflows/mirrors.yaml
+++ b/.github/workflows/mirrors.yaml
@@ -2,6 +2,9 @@ name: Mirrors
 
 on: [push, delete]
 
+permissions:
+  contents: read
+
 jobs:
   codeberg:
     name: Mirror to Codeberg
diff --git a/.github/workflows/trigger-nightly.yaml b/.github/workflows/trigger-nightly.yaml
index 75d623153..82b513300 100644
--- a/.github/workflows/trigger-nightly.yaml
+++ b/.github/workflows/trigger-nightly.yaml
@@ -5,6 +5,9 @@ on:
     # Run nightly build at 01:00 UTC
     - cron: '00 01 * * *'
 
+permissions:
+  contents: write
+
 jobs:
 
   trigger-nightly:
diff --git a/.github/workflows/update-docs-translations.yaml b/.github/workflows/update-docs-translations.yaml
index ee81594df..8a69537d1 100644
--- a/.github/workflows/update-docs-translations.yaml
+++ b/.github/workflows/update-docs-translations.yaml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '42 3 * * 1'
 
+permissions:
+  contents: write
+
 jobs:
 
   update_transifex_docs: