diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b7bdd50..552d77f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,11 +6,16 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   tox:
     name: ${{ matrix.name }}
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     container: python:${{ matrix.python }}
 
     strategy:
@@ -36,12 +41,18 @@ jobs:
     name: Zizmor
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - uses: pgjones/actions/zizmor@dbbee601c084d000c4fc711d4b27cb306e15ead1 # v1
 
   compliance:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 19698c7..9a17121 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -3,6 +3,8 @@ on:
   push:
     tags:
       - '*'
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest