diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 62df8e1..d2ebe52 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
index a423106..bb0171d 100644
--- a/.github/workflows/playwright.yml
+++ b/.github/workflows/playwright.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d467f09..da50945 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -108,6 +108,8 @@ jobs:
   build-binaries:
     needs: build-test-publish
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:
@@ -156,6 +158,8 @@ jobs:
   build-docx2html-binaries:
     needs: build-test-publish
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         include:
@@ -204,6 +208,8 @@ jobs:
   build-docx2oc-binaries:
     needs: build-test-publish
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         include: