diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index c3a2277f1..483dd58f0 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches: [ master ]
   pull_request: {}
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 9108ee06f..c010de90e 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches: [ master ]
   pull_request: {}
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 23da186d4..3414ff04a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,8 +7,13 @@ on:
 # TODO: also publish the dist
 name: Create Release
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for actions/create-release to create a release
     name: Create Release
     runs-on: ubuntu-latest
     steps: