diff --git a/.github/workflows/pr-and-push.yml b/.github/workflows/pr-and-push.yml
index 38e88691..2b2d026f 100644
--- a/.github/workflows/pr-and-push.yml
+++ b/.github/workflows/pr-and-push.yml
@@ -13,5 +13,7 @@ concurrency:
 jobs:
   call-test-lint:
     uses: ./.github/workflows/test-lint.yml
+    permissions:
+      contents: read
     with:
-      ref: ${{ github.event.pull_request.head.sha }}
\ No newline at end of file
+      ref: ${{ github.event.pull_request.head.sha }}
diff --git a/.github/workflows/pypi-publish-on-release.yml b/.github/workflows/pypi-publish-on-release.yml
index 4047f596..d7038e82 100644
--- a/.github/workflows/pypi-publish-on-release.yml
+++ b/.github/workflows/pypi-publish-on-release.yml
@@ -13,6 +13,8 @@ jobs:
 
   build:
     name: Build distribution 📦
+    permissions:
+      contents: read
     needs:
       - call-test-lint
     runs-on: ubuntu-latest
@@ -55,6 +57,8 @@ jobs:
 
   deploy:
     name: Upload release to PyPI
+    permissions:
+      contents: read
     needs:
     - build
     runs-on: ubuntu-latest
@@ -75,4 +79,4 @@ jobs:
         name: python-package-distributions
         path: dist/
     - name: Publish distribution 📦 to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1
\ No newline at end of file
+      uses: pypa/gh-action-pypi-publish@release/v1