diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index a3141835..85d89942 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -7,11 +7,18 @@ on:
       - dev
       - main
 
+# Default permissions for all jobs (can be overridden per job)
+permissions:
+  contents: read           # Read repository contents
+  pull-requests: write     # Manage PRs (labels, comments)
+  issues: write           # Manage issues (PRs are issues)
+
 jobs:
   # Validate PR title and description
   validate-pr:
     name: Validate PR Format
     runs-on: ubuntu-latest
+    # Inherits workflow-level permissions (contents: read, pull-requests: write, issues: write)
     steps:
       - name: Check PR title format
         uses: amannn/action-semantic-pull-request@v5
@@ -86,6 +93,8 @@ jobs:
   backend-tests:
     name: Backend Tests (Go)
     runs-on: ubuntu-latest
+    permissions:
+      contents: read      # Only need read access for testing
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -138,6 +147,8 @@ jobs:
   frontend-tests:
     name: Frontend Tests (React/TypeScript)
     runs-on: ubuntu-latest
+    permissions:
+      contents: read      # Only need read access for testing
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -176,7 +187,9 @@ jobs:
     name: Auto Label PR
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: write
+      issues: write          # Required: PRs are issues, labeler needs to modify issue labels
     steps:
       - uses: actions/labeler@v5
         with:
@@ -187,6 +200,9 @@ jobs:
   security-check:
     name: Security Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # Required: Upload SARIF results to GitHub Security
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -209,6 +225,8 @@ jobs:
   secrets-check:
     name: Check for Secrets
     runs-on: ubuntu-latest
+    permissions:
+      contents: read      # Only need read access for scanning
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -226,6 +244,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [validate-pr, backend-tests, frontend-tests, security-check, secrets-check]
     if: always()
+    permissions:
+      contents: read      # Only need read access for status checking
     steps:
       - name: Check all jobs
         run: |