diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f3a799fc0..74aef2c11 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
+
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml
index 3229db07c..065b50cf9 100644
--- a/.github/workflows/markdown-link-check.yml
+++ b/.github/workflows/markdown-link-check.yml
@@ -1,10 +1,15 @@
 name: Check Markdown links
 
 on:
-    push:
-      branches: [ "main" ]
-    pull_request:
-      branches: [ "main" ]
+  push:
+    branches: [ "main" ]
+    paths: "**.md"
+  pull_request:
+    branches: [ "main" ]
+    paths: "**.md"
+
+permissions:
+  contents: read
 
 jobs:
   markdown-link-check:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 35d6053f6..b5cc934ac 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,6 +40,9 @@ jobs:
 
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: read
+
     steps:
     - name: Clone the repo
       uses: actions/checkout@v4
@@ -64,6 +67,9 @@ jobs:
     env:
       version_suffix_args: ${{ github.event_name != 'release' && format('--version-suffix "{0}"', inputs.version_suffix_override || format('ci.{0}', github.run_number)) || '' }}
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@v4
 
@@ -89,7 +95,13 @@ jobs:
 
   publish-package:
     needs: build-package
+
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - uses: actions/checkout@v4