diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index c5712d75..3fd5d9ca 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -6,14 +6,12 @@ on:
     types:
       - completed
 
-permissions:
-  contents: read
-
 jobs:
   get_pr_details:
     permissions:
-      id-token: write
       contents: read
+      id-token: write
+      pull-requests: read
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
@@ -27,6 +25,7 @@ jobs:
     permissions:
       contents: read
       id-token: write
+      pull-requests: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml
index f2f407de..4d0613a8 100644
--- a/.github/workflows/on_label_added.yml
+++ b/.github/workflows/on_label_added.yml
@@ -12,6 +12,7 @@ permissions:
 jobs:
   get_pr_details:
     permissions:
+    contents: read
       id-token: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
index b04f6f1a..7f281bad 100644
--- a/.github/workflows/on_opened_pr.yml
+++ b/.github/workflows/on_opened_pr.yml
@@ -13,6 +13,7 @@ jobs:
   get_pr_details:
     permissions:
       id-token: write
+      contents: read
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml
index 904c7056..83de7718 100644
--- a/.github/workflows/reusable_export_pr_details.yml
+++ b/.github/workflows/reusable_export_pr_details.yml
@@ -43,6 +43,7 @@ jobs:
   export_pr_details:
     permissions:
       id-token: write
+      contents: read
     # see https://github.com/aws-powertools/powertools-lambda-python/issues/1349
     if: inputs.workflow_origin == 'aws-powertools/powertools-lambda-dotnet'
     runs-on: ubuntu-latest