diff --git a/.github/workflows/checksum_release.yml b/.github/workflows/checksum_release.yml
index 5e95da3d..f2a4404b 100644
--- a/.github/workflows/checksum_release.yml
+++ b/.github/workflows/checksum_release.yml
@@ -5,6 +5,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   get-sha256:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
index 01d0a6c6..73859a94 100644
--- a/.github/workflows/doc.yml
+++ b/.github/workflows/doc.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: '0 0 * * *'  # Every day at 00:00 UTC
 
+permissions:
+  contents: read
+
 jobs:
   doc:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/draft-pdf.yml b/.github/workflows/draft-pdf.yml
index c506ee8d..a72118e1 100644
--- a/.github/workflows/draft-pdf.yml
+++ b/.github/workflows/draft-pdf.yml
@@ -1,4 +1,8 @@
 name: Draft JOSS PDF
+
+permissions:
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/lint-format-check.yaml b/.github/workflows/lint-format-check.yaml
index 4417c6f2..5fd75e8e 100644
--- a/.github/workflows/lint-format-check.yaml
+++ b/.github/workflows/lint-format-check.yaml
@@ -1,5 +1,8 @@
 name: Lint, format and type check
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pr-title-checker.yml b/.github/workflows/pr-title-checker.yml
index d26933a0..e2ee7542 100644
--- a/.github/workflows/pr-title-checker.yml
+++ b/.github/workflows/pr-title-checker.yml
@@ -1,5 +1,9 @@
 name: PR Title Checker
 
+permissions:
+  contents: read
+  pull-requests: read
+
 on:
   pull_request:
     types: [opened, edited, synchronize, reopened]
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index 70f977fa..2ea3fefc 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   test:
     name: test
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -56,6 +58,8 @@ jobs:
   build:
     name: Build wheels for multiple Python versions
     needs: test
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index 077489fb..2cff766d 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -1,5 +1,8 @@
 name: Tests and Examples
 
+permissions:
+  contents: read
+
 on:
   push:
   pull_request: