diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
index 7428cdb8..603a7794 100644
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@@ -14,6 +14,9 @@ on:
         type: string
         description: "Prefix for artifact names (e.g. 'clerk', 'clerk-canary', 'clerk-snapshot')"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: blacksmith-2vcpu-ubuntu-2404
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4ee20124..8afd3698 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/sign-macos.yml b/.github/workflows/sign-macos.yml
index 462888a1..f90271f8 100644
--- a/.github/workflows/sign-macos.yml
+++ b/.github/workflows/sign-macos.yml
@@ -19,6 +19,9 @@ on:
       APPLE_API_ISSUER_ID:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   sign:
     strategy:
diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml
index 47b4dc5b..a77c9af1 100644
--- a/.github/workflows/smoke-test.yml
+++ b/.github/workflows/smoke-test.yml
@@ -17,6 +17,9 @@ on:
           canary (darwin-arm64 + linux-x64 + linux-x64-musl), or
           snapshot (linux-x64 only).
 
+permissions:
+  contents: read
+
 jobs:
   resolve-matrix:
     runs-on: ubuntu-latest