diff --git a/.github/workflows/compress-images.yml b/.github/workflows/compress-images.yml
index 6168af8..7451c21 100644
--- a/.github/workflows/compress-images.yml
+++ b/.github/workflows/compress-images.yml
@@ -13,6 +13,8 @@ jobs:
   CompressOnDemandOrSchedule:
     name: calibreapp/image-actions
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index bcec63e..753b57f 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -17,9 +17,13 @@ permissions: read-all
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
 
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
+        with:
+          comment-summary-in-pr: always
diff --git a/.github/workflows/pr-compress-images.yml b/.github/workflows/pr-compress-images.yml
index d2bda70..f4b8158 100644
--- a/.github/workflows/pr-compress-images.yml
+++ b/.github/workflows/pr-compress-images.yml
@@ -17,6 +17,7 @@ jobs:
     # Only run on Pull Requests within the same repository, and not from forks.
     if: github.event.pull_request.head.repo.full_name == github.repository
     name: calibreapp/image-actions
+    permissions: write-all
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
index 4093190..41827d7 100644
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -13,6 +13,8 @@ permissions: read-all
 
 jobs:
   build:
+    permissions:
+      statuses: write
     # https://github.com/ivuorinen/ivuorinen/.github/workflows/pr-lint.yml
     uses: ivuorinen/ivuorinen/.github/workflows/pr-lint.yml@main
 
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index 2753b9e..c6b7983 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -4,12 +4,22 @@ name: Release Drafter
 # yamllint disable-line rule:truthy
 on:
   workflow_call:
+  # pull_request event is required only for autolabeler
+  pull_request:
+    # Only following types are handled by the action, but one can default to all as well
+    types: [opened, reopened, synchronize]
 
 permissions: read-all
 
 jobs:
   update_release_draft:
     name: ✏️ Draft release
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+      # write permission is required for autolabeler
+      # otherwise, read permission is required at least
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: 🚀 Run Release Drafter