diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml
index 7edfa03584c1..c02fcbc7c85a 100644
--- a/.github/workflows/build_wheels.yml
+++ b/.github/workflows/build_wheels.yml
@@ -5,6 +5,9 @@ on:
     branches: [master, 'release*']
     tags: ['*']
 
+permissions:
+  contents: read
+
 jobs:
   build-wheels:
     if: github.repository == 'python/mypy'
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 9f984e3a346b..97559fab61b8 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -14,6 +14,9 @@ on:
     - CREDITS
     - LICENSE
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml
index d4432826b9e1..2cff67f73cbf 100644
--- a/.github/workflows/mypy_primer.yml
+++ b/.github/workflows/mypy_primer.yml
@@ -15,6 +15,9 @@ on:
     - 'mypy/test/**'
     - 'test-data/**'
 
+permissions:
+  contents: read
+
 jobs:
   mypy_primer:
     name: Run mypy_primer
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e8f8a2a05e2b..caf8f52c7311 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   main:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/test_stubgenc.yml b/.github/workflows/test_stubgenc.yml
index b48031e5c18f..94ab57c44d0a 100644
--- a/.github/workflows/test_stubgenc.yml
+++ b/.github/workflows/test_stubgenc.yml
@@ -12,6 +12,9 @@ on:
     - 'mypy/stubdoc.py'
     - 'test-data/stubgen/**'
 
+permissions:
+  contents: read
+
 jobs:
   stubgenc:
     # Check stub file generation for a small pybind11 project