diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 37da059..f448db3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [main]
 
+# Least-privilege default for all jobs: they only need to read the repo.
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test py${{ matrix.python-version }} on ${{ matrix.os }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index e881d61..15795e8 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,6 +9,11 @@ on:
     tags:
       - "v*"
 
+# Least-privilege default. Jobs that need more (OIDC publishing to
+# PyPI, creating a GitHub Release) escalate in their own permissions block.
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build sdist + wheel