diff --git a/.github/workflows/create_automerge_pr.yml b/.github/workflows/create_automerge_pr.yml
index 0c5a39c..ca2e092 100644
--- a/.github/workflows/create_automerge_pr.yml
+++ b/.github/workflows/create_automerge_pr.yml
@@ -40,6 +40,10 @@ name: Create automerge PR
 #    types: [..., ready_for_review]
 # ```
 # Unfortunately this will also re-trigger testing evenon a normal user's PR (which may have already been tested), but skipping them causes the checks to reset so this is the best we can do for now.
+
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/performance_test.yml b/.github/workflows/performance_test.yml
index 105e004..dcec832 100644
--- a/.github/workflows/performance_test.yml
+++ b/.github/workflows/performance_test.yml
@@ -1,5 +1,8 @@
 name: Performance test
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 1df9e89..32b404a 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -1,5 +1,8 @@
 name: Pull request
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, reopened, synchronize]
diff --git a/.github/workflows/swift_package_test.yml b/.github/workflows/swift_package_test.yml
index 524d5ca..68125a4 100644
--- a/.github/workflows/swift_package_test.yml
+++ b/.github/workflows/swift_package_test.yml
@@ -1,5 +1,8 @@
 name: Swift Matrix
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs: