diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index b89dfc83..12fe2bed 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,11 +8,18 @@ on:
       # For readme and asset updates.
       - master
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
 
   deploy:
     name: Deploy to WordPress.org
     runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: write # Required to upload assets to the GitHub release.
     steps:
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
diff --git a/.github/workflows/props-bot.yml b/.github/workflows/props-bot.yml
index 8c72d604..33674128 100644
--- a/.github/workflows/props-bot.yml
+++ b/.github/workflows/props-bot.yml
@@ -50,9 +50,8 @@ jobs:
     name: Generate a list of props
     runs-on: ubuntu-24.04
     permissions:
-      # The action needs permission `write` permission for PRs in order to add a comment.
-      pull-requests: write
-      contents: read
+      pull-requests: write # Required to post the props comment on the pull request.
+      issues: write        # Required to remove the props-bot label.
     timeout-minutes: 20
     # The job will run when pull requests are open, ready for review and:
     #
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6b604bf3..308a2620 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,10 +9,17 @@ concurrency:
     group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
     cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     lint-js-css:
         name: Lint JS & CSS
         runs-on: ubuntu-24.04
+        timeout-minutes: 20
+        permissions:
+          contents: read # Required to clone the repo.
         steps:
             - name: Checkout
               uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -35,6 +42,9 @@ jobs:
     lint-php-and-compatibility:
         name: Lint PHP & PHP Compatibility checks.
         runs-on: ubuntu-24.04
+        timeout-minutes: 20
+        permissions:
+          contents: read # Required to clone the repo.
         steps:
             - name: Checkout
               uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -65,6 +75,9 @@ jobs:
     test-php:
         name: Test PHP ${{ matrix.php }} ${{ matrix.wp != '' && format( ' (WP {0}) ', matrix.wp ) || '' }}
         runs-on: ubuntu-24.04
+        timeout-minutes: 20
+        permissions:
+          contents: read # Required to clone the repo.
         strategy:
             matrix:
                 php:
@@ -144,6 +157,9 @@ jobs:
     build:
         name: Build
         runs-on: ubuntu-24.04
+        timeout-minutes: 20
+        permissions:
+          contents: read # Required to clone the repo.
         steps:
             - name: Checkout
               uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0