diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de3e7c5..6cae16d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,6 +1,8 @@
 name: CI
 on: [push, pull_request]
 
+permissions: read-all
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2e24a98..0677ce9 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -9,6 +9,8 @@ on:
     - cron: '0 8 * * 1'
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index e180513..eb57b4d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,6 +8,8 @@ on:
       - 'package.json'
       - '!.changeset/**'
 
+permissions: read-all
+
 jobs:
   check-version:
     name: Check if version changed
@@ -16,7 +18,7 @@ jobs:
       changed: ${{ steps.check.outputs.changed }}
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 2
 
@@ -42,10 +44,10 @@ jobs:
       attestations: write
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 24
           cache: npm
@@ -60,7 +62,7 @@ jobs:
         run: npm run test:ci
 
       - name: Setup Node.js for publish
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 24
           registry-url: 'https://registry.npmjs.org'
@@ -83,7 +85,7 @@ jobs:
 
       - name: Create GitHub Release
         id: release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
         with:
           tag_name: v${{ steps.package.outputs.version }}
           generate_release_notes: true
diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
index d26f031..4cb383c 100644
--- a/.github/workflows/version.yml
+++ b/.github/workflows/version.yml
@@ -7,6 +7,8 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
+permissions: read-all
+
 jobs:
   version:
     name: Create Version PR