diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8a7bbec..4a21b02 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,8 @@ jobs:
   lints:
     name: Lints
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
@@ -31,6 +33,8 @@ jobs:
         run: cargo clippy -- -D warnings
   test:
     name: Build debug artifacts
+    permissions:
+      contents: read
     strategy:
       matrix:
         build: [x86_64-linux, aarch64-linux, x86_64-macos, aarch64-macos, x86_64-win-msvc]
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 1b016a7..483efbd 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -16,6 +16,8 @@ jobs:
   dist:
     name: Dist
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false # don't fail other jobs if one fails
       matrix:
@@ -86,6 +88,8 @@ jobs:
     name: "Publish binaries to release page"
     needs: [dist]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
@@ -139,6 +143,8 @@ jobs:
     name: "Publish crate on crates.io"
     needs: [dist]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4