diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 5936340..22922ed 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -25,3 +25,6 @@ jobs:
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         with:
           extra_args: --verbose
+
+permissions:
+  contents: read
diff --git a/.github/workflows/release-to-pypi.yml b/.github/workflows/release-to-pypi.yml
index dac4664..730c663 100644
--- a/.github/workflows/release-to-pypi.yml
+++ b/.github/workflows/release-to-pypi.yml
@@ -20,3 +20,6 @@ jobs:
         with:
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}
+
+permissions:
+  contents: read
diff --git a/.github/workflows/release-to-test-pypi.yml b/.github/workflows/release-to-test-pypi.yml
index 7482ca9..3781848 100644
--- a/.github/workflows/release-to-test-pypi.yml
+++ b/.github/workflows/release-to-test-pypi.yml
@@ -32,3 +32,6 @@ jobs:
           password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository_url: https://test.pypi.org/legacy/
           verbose: true
+
+permissions:
+  contents: read
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3fd9624..498a92f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -60,3 +60,6 @@ jobs:
           verbose: true
           files: ./coverage.xml
           fail_ci_if_error: false  # https://github.com/codecov/codecov-action/issues/557
+
+permissions:
+  contents: read
diff --git a/.github/workflows/update_actions.yml b/.github/workflows/update_actions.yml
index a9cfdfa..10f41c0 100644
--- a/.github/workflows/update_actions.yml
+++ b/.github/workflows/update_actions.yml
@@ -21,3 +21,7 @@ jobs:
         with:
           token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }}
           update_version_with: release-commit-sha
+
+permissions:
+  contents: read
+  pull-requests: write