diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index a82b84a..8b2dba9 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -30,6 +30,7 @@ jobs:
   # Build platform matrix excludes. if-conditional with matrix on job level is not
   # supported, see https://github.com/actions/runner/issues/1985
   platform-excludes:
+    permissions: {}
     runs-on: ubuntu-latest
     outputs:
       excludes: ${{ steps.excludes.outputs.matrix }}
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 65947d3..980773d 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -1,5 +1,8 @@
 name: pre-commit
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
index 9cb6ea8..fa6452b 100644
--- a/.github/workflows/pytest.yml
+++ b/.github/workflows/pytest.yml
@@ -1,5 +1,8 @@
 name: Run Pytest on Pull Request
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push: