diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 72f6d98..0bb89ef 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -6,7 +6,8 @@ on:
       - main
   pull_request:
 
-permissions: {}
+permissions:
+  contents: read # needed for checkout in private repos
 
 jobs:
   self-test:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 63b106e..98b795c 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -6,7 +6,8 @@ on:
   pull_request:
     branches: ["**"]
 
-permissions: {}
+permissions:
+  contents: read # needed for checkout in private repos
 
 jobs:
   zizmor:
diff --git a/{{cookiecutter.project_slug}}/.github/workflows/docs.yml b/{{cookiecutter.project_slug}}/.github/workflows/docs.yml
index ed2d8f1..9962cda 100644
--- a/{{cookiecutter.project_slug}}/.github/workflows/docs.yml
+++ b/{{cookiecutter.project_slug}}/.github/workflows/docs.yml
@@ -5,7 +5,8 @@ on:
     branches:
       - main
 
-permissions: {}
+permissions:
+  contents: read # needed for checkout in private repos
 
 jobs:
   build:
diff --git a/{{cookiecutter.project_slug}}/.github/workflows/lint.yml b/{{cookiecutter.project_slug}}/.github/workflows/lint.yml
index 455904d..9f2473c 100644
--- a/{{cookiecutter.project_slug}}/.github/workflows/lint.yml
+++ b/{{cookiecutter.project_slug}}/.github/workflows/lint.yml
@@ -6,7 +6,8 @@ on:
       - main
   pull_request:
 
-permissions: {}
+permissions:
+  contents: read # needed for checkout in private repos
 
 jobs:
   lint:
diff --git a/{{cookiecutter.project_slug}}/.github/workflows/release.yml b/{{cookiecutter.project_slug}}/.github/workflows/release.yml
index 7d4e885..2dbbc63 100644
--- a/{{cookiecutter.project_slug}}/.github/workflows/release.yml
+++ b/{{cookiecutter.project_slug}}/.github/workflows/release.yml
@@ -5,7 +5,8 @@ on:
 
 name: release
 
-permissions: {}
+permissions:
+  contents: read # needed for checkout in private repos
 
 jobs:
   build:
diff --git a/{{cookiecutter.project_slug}}/.github/workflows/tests.yml b/{{cookiecutter.project_slug}}/.github/workflows/tests.yml
index 89d4c92..ff524e8 100644
--- a/{{cookiecutter.project_slug}}/.github/workflows/tests.yml
+++ b/{{cookiecutter.project_slug}}/.github/workflows/tests.yml
@@ -6,7 +6,8 @@ on:
       - main
   pull_request:
 
-permissions: {}
+permissions:
+  contents: read # needed for checkout in private repos
 
 jobs:
   test:
diff --git a/{{cookiecutter.project_slug}}/.github/workflows/zizmor.yml b/{{cookiecutter.project_slug}}/.github/workflows/zizmor.yml
index 63b106e..98b795c 100644
--- a/{{cookiecutter.project_slug}}/.github/workflows/zizmor.yml
+++ b/{{cookiecutter.project_slug}}/.github/workflows/zizmor.yml
@@ -6,7 +6,8 @@ on:
   pull_request:
     branches: ["**"]
 
-permissions: {}
+permissions:
+  contents: read # needed for checkout in private repos
 
 jobs:
   zizmor: