diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 515e5dd..4e23127 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     name: ${{ matrix.name }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6e2e16a..ef11eb5 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -9,6 +9,9 @@ on:
       - requirements_test.txt
       - .github/workflows/docker.yml
 
+permissions:
+  contents: read
+  packages: write
 
 jobs:
   build-image:
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index 5fd6b27..adb9a5f 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -6,6 +6,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index eb7a626..d62a017 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   deploy-pypi:
     name: Build and publish to PyPi