diff --git a/.github/workflows/on-demand-verification.yml b/.github/workflows/on-demand-verification.yml
index edef8a7..0ebe6dd 100644
--- a/.github/workflows/on-demand-verification.yml
+++ b/.github/workflows/on-demand-verification.yml
@@ -5,6 +5,9 @@
 name: On demand verification
 run-name: 'On demand by ${{ github.actor }}'
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/on-push-verification.yml b/.github/workflows/on-push-verification.yml
index 7e695c5..c871c99 100644
--- a/.github/workflows/on-push-verification.yml
+++ b/.github/workflows/on-push-verification.yml
@@ -7,6 +7,9 @@
 name: On push & pull-request verification
 run-name: '${{ github.event_name }}: ${{ github.base_ref }} ${{ github.ref_name }}' # github.base_ref null for 'on: push'
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/scheduled-verification.yml b/.github/workflows/scheduled-verification.yml
index eec34da..b798bdf 100644
--- a/.github/workflows/scheduled-verification.yml
+++ b/.github/workflows/scheduled-verification.yml
@@ -5,6 +5,9 @@
 name: Scheduled verification
 run-name: Scheduled verification
 
+permissions:
+  contents: read
+
 on:
   schedule:
     # Run Sunday & Wednesday at 00:00