diff --git a/.github/workflows/jsonnetfmt.yml b/.github/workflows/jsonnetfmt.yml
index 9ad6fa1..3c2fbfc 100644
--- a/.github/workflows/jsonnetfmt.yml
+++ b/.github/workflows/jsonnetfmt.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
   pull_request: {}
+permissions:
+  contents: read
+
 jobs:
   jsonnetfmt:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 01f4fbe..bac66c4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,8 +5,13 @@ on:
     tags:
       - '*'
   
+permissions:
+  contents: read
+
 jobs:
   goreleaser:
+    permissions:
+      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 0dbb23a..a8f6bc8 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
   pull_request: {}
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest