diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 772b7930..1752eecb 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -2,6 +2,9 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
index 4a414248..54f818a8 100644
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -7,8 +7,12 @@ on:
       - main
       - 'tag/v**'
 
+permissions: {}
+
 jobs:
   build_dist:
+    permissions:
+      contents: read
     name: Build source distribution
     runs-on: ubuntu-24.04
     steps:
@@ -34,6 +38,8 @@ jobs:
         run: uvx twine check dist/*
   publish:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     if: github.event_name == 'push'
     needs: [ build_dist ]
     steps: