diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f72a001..255790f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -11,6 +11,8 @@ on:
 jobs:
   publish-pypi:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -32,10 +34,11 @@ jobs:
     needs: publish-pypi
     name: Create Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v4
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           name: Release ${{ github.ref_name }}
           draft: false
diff --git a/.github/workflows/run_annotation_tests.yml b/.github/workflows/run_annotation_tests.yml
index 7138a35..646c743 100644
--- a/.github/workflows/run_annotation_tests.yml
+++ b/.github/workflows/run_annotation_tests.yml
@@ -13,6 +13,8 @@ jobs:
   annotation-tests:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
index a0400af..d56640c 100644
--- a/.github/workflows/run_tests.yml
+++ b/.github/workflows/run_tests.yml
@@ -12,6 +12,8 @@ jobs:
   build:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: