diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 08797988..73822bfb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,14 +1,14 @@
 name: build
 
-permissions:
-  contents: write
-
 on:
   pull_request:
     branches: [ master ]
   release:
     types: [edited, published]
 
+permissions:
+  contents: write
+
 jobs:
   build:
     name: PyInstaller for ${{ matrix.os }}
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index 6390e184..853a5cc4 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -7,6 +7,8 @@ on:
   pull_request_target:
     types: [opened, edited, synchronize]
 
+permissions: read-all
+
 jobs:
   check_changelog:
     # no need to check for dependency updates via dependabot
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 390a814f..314f5261 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -2,13 +2,13 @@
 # https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/
 name: publish to pypi
 
-permissions:
-  contents: write
-
 on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 jobs:
   pypi-publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index 87bf8f45..752a008e 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -4,6 +4,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   tag:
     name: Tag capa rules
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 8e6cead2..bd68f26c 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions: read-all
+
 # save workspaces to speed up testing
 env:
   CAPA_SAVE_WORKSPACE: "True"