diff --git a/.github/workflows/commit-validation.yml b/.github/workflows/commit-validation.yml
index 0b52e94e5..1c785d6f8 100644
--- a/.github/workflows/commit-validation.yml
+++ b/.github/workflows/commit-validation.yml
@@ -1,6 +1,9 @@
 name: commit-validation
 on: [ push, pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   check-commit-msg-length:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/format-validation.yml b/.github/workflows/format-validation.yml
index a0a5b34b7..f75e35db8 100644
--- a/.github/workflows/format-validation.yml
+++ b/.github/workflows/format-validation.yml
@@ -26,6 +26,9 @@ on:
       - 'test/tables/planets.jats_archiving'
       - 'test/tables/students.jats_archiving'
 
+permissions:
+  contents: read
+
 jobs:
   jats:
     name: JATS
diff --git a/.github/workflows/lint.yml.bkp b/.github/workflows/lint.yml.bkp
index 13f4919da..890f55636 100644
--- a/.github/workflows/lint.yml.bkp
+++ b/.github/workflows/lint.yml.bkp
@@ -14,6 +14,9 @@ on:
       - stack.yaml
       - .travis.yml
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml
index 84b2e8565..7259e6215 100644
--- a/.github/workflows/release-candidate.yml
+++ b/.github/workflows/release-candidate.yml
@@ -5,6 +5,9 @@ on:
     branches:
     - 'rc/**'
 
+permissions:
+  contents: read
+
 jobs:
   linux: