diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index 50c9eac..67f20cb 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -11,6 +11,14 @@ on:
       ACTIONS_BOT_TOKEN:
         required: true
 
+permissions:
+  contents: 'read'
+  pull-requests: 'write'
+
+defaults:
+  run:
+    shell: 'bash'
+
 jobs:
   draft-release:
     name: 'Draft Release'
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9362621..0574660 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -19,6 +19,10 @@ permissions:
   contents: 'read'
   statuses: 'write'
 
+defaults:
+  run:
+    shell: 'bash'
+
 jobs:
   init:
     name: 'Lint (Initialize)'
@@ -41,7 +45,6 @@ jobs:
         env:
           REF: '${{ github.event.pull_request.head.sha }}'
           LC_ALL: 'C'
-        shell: 'bash'
         run: |-
           set -euo pipefail
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bf4a8ea..e29bc01 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,15 @@ on:
       ACTIONS_BOT_TOKEN:
         required: true
 
+permissions:
+  attestations: 'write'
+  contents: 'write'
+  packages: 'write'
+
+defaults:
+  run:
+    shell: 'bash'
+
 jobs:
   create-release:
     if: |-