diff --git a/.github/workflows/ci-markdown.yml b/.github/workflows/ci-markdown.yml
index 73eb80b89cd..769318ddede 100644
--- a/.github/workflows/ci-markdown.yml
+++ b/.github/workflows/ci-markdown.yml
@@ -14,6 +14,9 @@ on:
       - 'lib/**/*.md'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint Markdown content
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9fee9a60d66..ebd245f5c79 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,13 +16,13 @@ env:
   LANG: C.UTF-8
 
 permissions:
-  contents: write
-  id-token: write
-  attestations: write
+  contents: read
 
 jobs:
   create_draft_release:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
@@ -122,6 +122,9 @@ jobs:
 
     runs-on: ${{ matrix.flavor == 'linux' && 'ubuntu-22.04' || 'windows-2022' }}
 
+    permissions:
+      contents: write
+
     steps:
       - name: "Download build"
         uses: actions/download-artifact@v4
@@ -181,6 +184,11 @@ jobs:
 
     runs-on: ubuntu-24.04
 
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+
     steps:
       - name: Use HTTPS instead of SSH for Git cloning
         id: git-config
@@ -255,6 +263,9 @@ jobs:
     needs: [create_draft_release, build, sign, sbom]
     runs-on: ubuntu-22.04
 
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/download-artifact@v4
         with: