diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 4249a85..1d6153d 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,4 +1,6 @@
 name: Documentation
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -14,6 +16,8 @@ jobs:
     steps:
 
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml
index 25dabb3..ed14cd7 100644
--- a/.github/workflows/flake8.yml
+++ b/.github/workflows/flake8.yml
@@ -1,4 +1,6 @@
 name: Check Code Style
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -10,6 +12,8 @@ jobs:
     steps:
 
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v2
 
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index 7382c4b..27c0a63 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -26,7 +26,8 @@ jobs:
 
     - uses: actions/checkout@v2
       with:
-        fetch-depth: 1000  # should be enough to reach the most recent tag
+        fetch-depth: 1000
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
@@ -51,7 +52,7 @@ jobs:
     - name: Deploy documentation
       # We pin to the SHA, not the tag, for security reasons.
       # https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
-      uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501  # v3.7.3
+      uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3
       with:
         deploy_key: ${{ secrets.ACTIONS_DOCUMENTATION_DEPLOY_KEY }}
         publish_branch: master
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 66dc760..f0057e9 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -14,6 +14,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
index 05189ad..377e3a6 100644
--- a/.github/workflows/testing.yml
+++ b/.github/workflows/testing.yml
@@ -1,4 +1,6 @@
 name: Unit Tests
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -13,6 +15,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
       with: