diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml
index e38e019ae..ba2621be3 100644
--- a/.github/workflows/stale-issues.yml
+++ b/.github/workflows/stale-issues.yml
@@ -12,10 +12,11 @@ on:
     - cron: "0 0 * * *"
   issue_comment:
 
-permissions:
-  contents: write
-  issues: write
-  pull-requests: write
+permissions: {}
+
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
 
 concurrency:
   group: stale-issues
@@ -31,6 +32,10 @@ jobs:
         )
       )
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     steps:
       - name: Mark/Close Stale Issues and Pull Requests
         uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9
@@ -57,6 +62,10 @@ jobs:
         )
       )
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     steps:
       - name: Mark/Close Stale `bump-formula-pr` and `bump-cask-pr` Pull Requests
         uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9