diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b87e62c21..f35b42da2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,10 +19,14 @@ on:
       - sdk-release/**
       - feature/**
 
+permissions: {}
+
 jobs:
   lint:
     name: Static Checks
     runs-on: "ubuntu-24.04"
+    permissions:
+      contents: read
     steps:
       - uses: extractions/setup-just@v2
       - uses: actions/checkout@v3
@@ -50,6 +54,8 @@ jobs:
   build:
     name: Build
     runs-on: "ubuntu-24.04"
+    permissions:
+      contents: read
     steps:
       - uses: extractions/setup-just@v2
       - uses: actions/checkout@v3
@@ -74,6 +80,8 @@ jobs:
     # see https://github.com/actions/setup-python/issues/544#issuecomment-1332535877 for list of supported versions
     # move to ubuntu-latest when we drop 3.7
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -114,6 +122,8 @@ jobs:
       endsWith(github.actor, '-stripe')
     needs: [build, test, lint]
     runs-on: "ubuntu-24.04"
+    permissions:
+      contents: read
     steps:
       - uses: extractions/setup-just@v2
       - uses: actions/checkout@v3
diff --git a/.github/workflows/rules.yml b/.github/workflows/rules.yml
index 21d6c0989..b7d9c0d8b 100644
--- a/.github/workflows/rules.yml
+++ b/.github/workflows/rules.yml
@@ -7,6 +7,8 @@ on:
     types:
       - auto_merge_enabled
 
+permissions: {}
+
 jobs:
   require_merge_commit_on_merge_script_pr:
     name: Merge script PRs must create merge commits