diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index c52912470b..efc652c57d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -11,6 +11,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   nox:
     uses: ./.github/workflows/reusable-nox.yml
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 79c24cfbc3..d2cd49e8c4 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -24,6 +24,9 @@
 
 name: "Triage Issues and PRs"
 
+permissions:
+  contents: read
+
 jobs:
   label_prs:
     runs-on: ubuntu-latest
@@ -43,6 +46,8 @@ jobs:
           private-key: ${{ secrets.BOT_APP_KEY }}
       - name: Checkout parent repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install Python 3.11
         uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/reusable-nox.yml b/.github/workflows/reusable-nox.yml
index 7e2af50530..5e0a6e0c60 100644
--- a/.github/workflows/reusable-nox.yml
+++ b/.github/workflows/reusable-nox.yml
@@ -36,6 +36,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup nox
         uses: wntrblm/nox@2025.10.16
         with: