diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4e6bd447..1ecd693e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,8 +6,12 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    name: Build app and tests
     strategy:
       fail-fast: false
       matrix:
@@ -18,6 +22,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           path: example-application
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v5
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 54f7b649..1720c1ef 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -5,15 +5,21 @@ name: Documentation
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 env:
   DOXYGEN_VERSION: 1.9.6
 
 jobs:
   build:
+    name: Build
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: |
@@ -50,6 +56,7 @@ jobs:
           path: doc/deploy
 
   deploy:
+    name: Deploy
     runs-on: ubuntu-22.04
     needs: build
     if: github.event_name != 'pull_request'