diff --git a/.github/workflows/CI-unixish.yml b/.github/workflows/CI-unixish.yml
index ff7c3f65..a9ed44d5 100644
--- a/.github/workflows/CI-unixish.yml
+++ b/.github/workflows/CI-unixish.yml
@@ -2,6 +2,9 @@ name: CI-unixish
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
@@ -18,6 +21,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Install missing software on ubuntu
       if: matrix.os == 'ubuntu-24.04'
diff --git a/.github/workflows/CI-windows.yml b/.github/workflows/CI-windows.yml
index 971f3827..04d80a49 100644
--- a/.github/workflows/CI-windows.yml
+++ b/.github/workflows/CI-windows.yml
@@ -6,6 +6,9 @@ name: CI-windows
 
 on: [push,pull_request]
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: cmd
@@ -23,6 +26,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup msbuild.exe
         uses: microsoft/setup-msbuild@v2
diff --git a/.github/workflows/clang-tidy.yml b/.github/workflows/clang-tidy.yml
index a2f7b6dc..fd4ec04d 100644
--- a/.github/workflows/clang-tidy.yml
+++ b/.github/workflows/clang-tidy.yml
@@ -4,6 +4,9 @@ name: clang-tidy
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
@@ -11,6 +14,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install missing software
         run: |