diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a5ed97f22..7392ea403 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,8 @@ on:
 
 jobs:
   lint:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -21,6 +23,8 @@ jobs:
         env:
           RUFF_OUTPUT_FORMAT: github
   test:
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -68,6 +72,8 @@ jobs:
         token: ${{ secrets.CODECOV_TOKEN }}
         verbose: true
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04
     needs: lint
     steps: