diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6837ad5b..26d81fc2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: "0 8 * * *" # Run at 8 AM UTC
 
+
+permissions:
+  contents: read
+
 jobs:
   type-check:
     strategy:
diff --git a/.github/workflows/eval-model.yml b/.github/workflows/eval-model.yml
index 72b8e902..51f611cd 100644
--- a/.github/workflows/eval-model.yml
+++ b/.github/workflows/eval-model.yml
@@ -11,6 +11,10 @@ on:
       - synchronize # When new commits are pushed to the PR
       - labeled     # When a label is added to the PR
 
+
+permissions:
+  contents: read
+
 jobs:
   evaluate-and-print:
     if: contains(github.event.pull_request.labels.*.name, 'run-eval')  # Only run if 'run-eval' label is added