diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index f4dc7e1..82c6563 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -4,6 +4,9 @@ name: 'Pull Request Labeler'
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   label:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index e35b3f9..cc8d0cc 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -5,7 +5,8 @@ on: # yamllint disable-line rule:truthy
   push: null
   pull_request: null
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 7d5bb8c..9235835 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -3,6 +3,9 @@ name: Pre-commit
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest