diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c88f0797..8c2aba34 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,8 @@ on:
       - stable
       - v*
 
+permissions: read-all
+
 concurrency:
   group: test-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/configure.yml b/.github/workflows/configure.yml
index b469a69d..4ae22281 100644
--- a/.github/workflows/configure.yml
+++ b/.github/workflows/configure.yml
@@ -9,6 +9,9 @@ on:
       - stable
       - v*
 
+permissions:
+  contents: read
+
 env:
   # For cmake:
   VERBOSE: 1
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index 46489feb..b8242ee5 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -12,6 +12,9 @@ on:
     - stable
     - "v*"
 
+permissions:
+  contents: read
+
 env:
   FORCE_COLOR: 3
   # For cmake:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 165a2fd8..858a4a0e 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -3,10 +3,15 @@ on:
   pull_request_target:
     types: [closed]
 
+permissions: {}
+
 jobs:
   label:
     name: Labeler
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
 
     - uses: actions/labeler@main
diff --git a/.github/workflows/pip.yml b/.github/workflows/pip.yml
index 6d9be3b1..c1feb6fe 100644
--- a/.github/workflows/pip.yml
+++ b/.github/workflows/pip.yml
@@ -12,6 +12,9 @@ on:
     types:
     - published
 
+permissions:
+  contents: read
+
 env:
   PIP_ONLY_BINARY: numpy
 
diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml
index be643ddf..4acfbfce 100644
--- a/.github/workflows/upstream.yml
+++ b/.github/workflows/upstream.yml
@@ -5,6 +5,9 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: upstream-${{ github.ref }}
   cancel-in-progress: true