diff --git a/.github/workflows/dotnetcore.yml b/.github/workflows/dotnetcore.yml
index fbacaa0..2a1657c 100644
--- a/.github/workflows/dotnetcore.yml
+++ b/.github/workflows/dotnetcore.yml
@@ -6,6 +6,9 @@ on: [pull_request, workflow_dispatch]
 env:
   SNAPSHOOTER_STRICT_MODE: true
 
+# see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   # Fail if there are build warnings
   #
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 776e098..d1c9e71 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,9 +25,14 @@ on:
 env:
   SNAPSHOOTER_STRICT_MODE: true
 
+# see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions: {}
+
 jobs:
   release:
     name: Release
+    permissions:
+      contents: write  # for git-push and creating a GH release and uploading release assets
     runs-on: ubuntu-24.04
     timeout-minutes: 30
     outputs:
@@ -173,6 +178,8 @@ jobs:
   release-osx-arm64:
     name: Release osx-arm64
     needs: release
+    permissions:
+      contents: write  # for uploading release assets
     runs-on: macos-latest
     timeout-minutes: 30
     steps: