diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index c9359f95e..11613baf1 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -5,8 +5,13 @@ on:
   pull_request:
     branches: [dev]
 
+permissions:
+  contents: read
+
 jobs:
   check:
     uses: ./.github/workflows/lint-test.yml
+    permissions:
+      contents: read
     secrets:
       inherit
diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml
index c908f07b6..7c467b7be 100644
--- a/.github/workflows/lint-test.yml
+++ b/.github/workflows/lint-test.yml
@@ -4,9 +4,14 @@ on:
       CODECOV_TOKEN:
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   lint-and-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v3
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 396931caf..fc78dc62f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,8 +3,13 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   lint-and-test:
+    permissions:
+      contents: read
     uses: ./.github/workflows/lint-test.yml
     secrets:
       inherit