diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index b2ee2f38..8e782751 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -12,6 +12,8 @@ on:
 jobs:
   check:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 7cffb8d0..96cafa9f 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -10,7 +10,8 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml
index 15820549..edb3c436 100644
--- a/.github/workflows/python-tests.yml
+++ b/.github/workflows/python-tests.yml
@@ -12,6 +12,8 @@ on:
 jobs:
   test:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -51,6 +53,8 @@ jobs:
           UNSAFE_TESTS=1 bash tests/shell/all.sh
   test-legacy:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     env:
       # Temporary workaround for Python 3.5 failures - May 2024, see CFE-4395
       PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"
diff --git a/.github/workflows/python-validate-test.yml b/.github/workflows/python-validate-test.yml
index a03fdca2..b116043e 100644
--- a/.github/workflows/python-validate-test.yml
+++ b/.github/workflows/python-validate-test.yml
@@ -12,6 +12,8 @@ on:
 jobs:
   test-legacy:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     env:
       # Temporary workaround for Python 3.5 failures - May 2024, see CFE-4395
       PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"