diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ab33cbc..8ed884f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
       - main
     tags: ["*"]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Format
diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
index 3ffa068..0cb6a42 100644
--- a/.github/workflows/conventional-commits.yml
+++ b/.github/workflows/conventional-commits.yml
@@ -6,7 +6,7 @@ on:
       - main
       - release/*
 
-  pull_request_target:
+  pull_request:
     branches:
       - main
       - release/*
@@ -31,7 +31,7 @@ jobs:
           sparse-checkout: |
             .github
 
-      - if: ${{ github.event_name == 'pull_request_target' }}
+      - if: ${{ github.event_name == 'pull_request' }}
         run: |
           set -ex
           TMP_FILE=$(mktemp)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2efb441..9294bcf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ on:
       - main
       - release/*
 
+permissions:
+  contents: read
+
 jobs:
   release_please:
     runs-on: ubuntu-latest