diff --git a/.github/workflows/deflake.yaml b/.github/workflows/deflake.yaml
index 9f60b0c964..c764275739 100644
--- a/.github/workflows/deflake.yaml
+++ b/.github/workflows/deflake.yaml
@@ -15,6 +15,9 @@ jobs:
   deflake:
     if: ${{ github.event.workflow_run.conclusion == 'failure' }}
     runs-on: ubuntu-latest
+    permissions:
+      # "Write" to Actions to enable rerun command.
+      actions: write
 
     steps:
       - name: Check run count and re-run workflow
diff --git a/.github/workflows/selenium-lab-tests.yaml b/.github/workflows/selenium-lab-tests.yaml
index 56bf6d9b3e..5ffc9aff6c 100644
--- a/.github/workflows/selenium-lab-tests.yaml
+++ b/.github/workflows/selenium-lab-tests.yaml
@@ -145,6 +145,11 @@ jobs:
     name: Pre-build Player
     needs: compute-sha
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -209,6 +214,10 @@ jobs:
     # lab's Selenium grid on port 4444.
     runs-on: self-hosted-selenium
 
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     # Only one run of this job is allowed at a time, since it uses physical
     # resources in our lab.
     concurrency:
diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml
index 0b679eab38..ac1b6caa69 100644
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@@ -16,6 +16,11 @@ on:
 jobs:
   sync-labels:
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to Issues to manage labels for the repo
+      issues: write
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/.github/workflows/update-issues.yaml b/.github/workflows/update-issues.yaml
index 6424ce19ae..29b6984a65 100644
--- a/.github/workflows/update-issues.yaml
+++ b/.github/workflows/update-issues.yaml
@@ -8,13 +8,16 @@ on:
     # Run every 30 minutes
     - cron: '*/30 * * * *'
 
-permissions:
-  issues: write
-  pull-requests: write
-
 jobs:
   update-issues:
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to Issues to add labels, milestones, comments, etc.
+      issues: write
+      # "Write" to Pull Requests for the same.
+      pull-requests: write
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/.github/workflows/update-screenshots.yaml b/.github/workflows/update-screenshots.yaml
index 28848ad991..6a49b08a50 100644
--- a/.github/workflows/update-screenshots.yaml
+++ b/.github/workflows/update-screenshots.yaml
@@ -29,6 +29,11 @@ jobs:
     name: Set Pending Status
     needs: compute-sha
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -107,6 +112,11 @@ jobs:
   set-final-status:
     name: Set Final Status
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
     needs: [compute-sha, run-lab-tests, update-pr]
     # Will run on success or failure, but not if the workflow is cancelled.
     if: ${{ success() || failure() }}
diff --git a/README.md b/README.md
index 3bb39f5f45..76ca17090f 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 # ![Shaka Player](docs/shaka-player-logo.png)
 
+
 Shaka Player is an open-source JavaScript library for adaptive media.  It plays
 adaptive media formats (such as [DASH][], [HLS][] and [MSS][]) in a browser,
 without using plugins or Flash.  Instead, Shaka Player uses the open web