diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index a7d4daf9f..0af81a552 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -1,8 +1,10 @@
 name: codespell
 on: [pull_request]
+permissions:
+  contents: read
 jobs:
   codespell:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
-    - uses: codespell-project/actions-codespell@v2.2
+      - uses: actions/checkout@v6
+      - uses: codespell-project/actions-codespell@v2.2
diff --git a/.github/workflows/config-options.yml b/.github/workflows/config-options.yml
index a68a3c513..d7a5ca282 100644
--- a/.github/workflows/config-options.yml
+++ b/.github/workflows/config-options.yml
@@ -1,5 +1,7 @@
 name: Config options
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/custom-branch.yml b/.github/workflows/custom-branch.yml
index ac7db9919..de4bed07d 100644
--- a/.github/workflows/custom-branch.yml
+++ b/.github/workflows/custom-branch.yml
@@ -11,6 +11,8 @@ on:
         required: false
         type: string
         default: libsemigroups/libsemigroups
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
index 686a45d9b..11ee08c68 100644
--- a/.github/workflows/doc.yml
+++ b/.github/workflows/doc.yml
@@ -1,5 +1,7 @@
 name: Check documentation builds
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 97a9f3584..fc44d01d1 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,5 +1,7 @@
 name: Lint
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/pip.yml b/.github/workflows/pip.yml
index c75a219ed..28a99e1f6 100644
--- a/.github/workflows/pip.yml
+++ b/.github/workflows/pip.yml
@@ -1,5 +1,7 @@
 name: Run tests (pip)
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/test-conda.yml b/.github/workflows/test-conda.yml
index eb1335569..91f84bb44 100644
--- a/.github/workflows/test-conda.yml
+++ b/.github/workflows/test-conda.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - "stable-*"
       - "rc-*"
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 3ef3bb3bd..65b3a4dc3 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,5 +1,7 @@
 name: Run tests (GitHub libsemigroups)
 on: [pull_request, workflow_dispatch]
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
index c1ae7c220..9bd8799d9 100644
--- a/.github/workflows/wheels.yml
+++ b/.github/workflows/wheels.yml
@@ -10,6 +10,8 @@ on:
   pull_request:
     paths:
       - .github/workflows/wheels.yml
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}