diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fa01c0b..788343c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+
 jobs:
   lint:
     uses: ./.github/workflows/lint-job.yml
diff --git a/.github/workflows/lint-job.yml b/.github/workflows/lint-job.yml
index 32abdfa..4015fc5 100644
--- a/.github/workflows/lint-job.yml
+++ b/.github/workflows/lint-job.yml
@@ -3,6 +3,9 @@ name: Lint Job
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 8c73450..3bbae4a 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   lint:
     uses: ./.github/workflows/lint-job.yml
diff --git a/.github/workflows/test-job.yml b/.github/workflows/test-job.yml
index abb3b89..832a991 100644
--- a/.github/workflows/test-job.yml
+++ b/.github/workflows/test-job.yml
@@ -3,6 +3,9 @@ name: Test Job
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trivy-scan-job.yml b/.github/workflows/trivy-scan-job.yml
index d20073c..6f5aa06 100644
--- a/.github/workflows/trivy-scan-job.yml
+++ b/.github/workflows/trivy-scan-job.yml
@@ -3,6 +3,9 @@ name: Trivy Scan Job
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   trivy-scan:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/typecheck-job.yml b/.github/workflows/typecheck-job.yml
index e63cba9..f722b1d 100644
--- a/.github/workflows/typecheck-job.yml
+++ b/.github/workflows/typecheck-job.yml
@@ -3,6 +3,9 @@ name: Typecheck Job
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   typecheck:
     runs-on: ubuntu-latest