diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 40399a2..b4dceee 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -10,6 +10,8 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9f9445e..abd5f49 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ jobs:
     environment: release
     timeout-minutes: 60
     permissions:
+      contents: read
       # IMPORTANT: this permission is mandatory for trusted publishing
       id-token: write
     steps:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index aa78446..3bb4db7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,6 +14,8 @@ jobs:
   test:
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permmissions:
+      contents: read
     strategy:
       matrix:
         python-version: