diff --git a/.github/workflows/blobby.yml b/.github/workflows/blobby.yml
index b7407895..eac18c91 100644
--- a/.github/workflows/blobby.yml
+++ b/.github/workflows/blobby.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: blobby
diff --git a/.github/workflows/block-buffer.yml b/.github/workflows/block-buffer.yml
index 73cfe835..b5d10e59 100644
--- a/.github/workflows/block-buffer.yml
+++ b/.github/workflows/block-buffer.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: block-buffer
diff --git a/.github/workflows/block-padding.yml b/.github/workflows/block-padding.yml
index 2160c150..55cd3412 100644
--- a/.github/workflows/block-padding.yml
+++ b/.github/workflows/block-padding.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: block-padding
diff --git a/.github/workflows/cmov.yml b/.github/workflows/cmov.yml
index b2f67ad5..7f107cfe 100644
--- a/.github/workflows/cmov.yml
+++ b/.github/workflows/cmov.yml
@@ -9,6 +9,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: cmov
diff --git a/.github/workflows/cpufeatures.yml b/.github/workflows/cpufeatures.yml
index 1161033e..936e8d41 100644
--- a/.github/workflows/cpufeatures.yml
+++ b/.github/workflows/cpufeatures.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: cpufeatures
diff --git a/.github/workflows/dbl.yml b/.github/workflows/dbl.yml
index c470862d..1b75b3aa 100644
--- a/.github/workflows/dbl.yml
+++ b/.github/workflows/dbl.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: dbl
diff --git a/.github/workflows/fiat-constify.yml b/.github/workflows/fiat-constify.yml
index 8e4cfe11..79904b24 100644
--- a/.github/workflows/fiat-constify.yml
+++ b/.github/workflows/fiat-constify.yml
@@ -9,6 +9,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: fiat-constify
diff --git a/.github/workflows/hex-literal.yml b/.github/workflows/hex-literal.yml
index dc77aeb2..12a03c08 100644
--- a/.github/workflows/hex-literal.yml
+++ b/.github/workflows/hex-literal.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: hex-literal
diff --git a/.github/workflows/hybrid-array.yml b/.github/workflows/hybrid-array.yml
index ae98cefb..46fe7c30 100644
--- a/.github/workflows/hybrid-array.yml
+++ b/.github/workflows/hybrid-array.yml
@@ -9,6 +9,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: hybrid-array
diff --git a/.github/workflows/inout.yml b/.github/workflows/inout.yml
index 6412ccdb..d8da0436 100644
--- a/.github/workflows/inout.yml
+++ b/.github/workflows/inout.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: inout
diff --git a/.github/workflows/opaque-debug.yml b/.github/workflows/opaque-debug.yml
index 12a6664d..dfb4b660 100644
--- a/.github/workflows/opaque-debug.yml
+++ b/.github/workflows/opaque-debug.yml
@@ -8,6 +8,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: opaque-debug
diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
index 6bc14e9e..215d0547 100644
--- a/.github/workflows/security-audit.yml
+++ b/.github/workflows/security-audit.yml
@@ -1,4 +1,5 @@
 name: Security Audit
+
 on:
   pull_request:
     paths: Cargo.lock
diff --git a/.github/workflows/workspace.yml b/.github/workflows/workspace.yml
index f8e79b03..80c32293 100644
--- a/.github/workflows/workspace.yml
+++ b/.github/workflows/workspace.yml
@@ -9,6 +9,9 @@ on:
     paths-ignore:
       - README.md
 
+permissions:
+  contents: read
+
 jobs:
   clippy:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/zeroize.yml b/.github/workflows/zeroize.yml
index 21ffdea1..7f69a611 100644
--- a/.github/workflows/zeroize.yml
+++ b/.github/workflows/zeroize.yml
@@ -9,6 +9,9 @@ on:
   push:
     branches: master
 
+permissions:
+  contents: read
+
 defaults:
   run:
     working-directory: zeroize