diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2b54628..f53a5bd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     uses: runcycles/.github/.github/workflows/ci-python.yml@main
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
index 8286fc0..d5d9b51 100644
--- a/.github/workflows/python-publish.yml
+++ b/.github/workflows/python-publish.yml
@@ -15,6 +15,10 @@ on:
           - testpypi
           - pypi
 
+# Default least-privilege; publish-* jobs override with id-token: write.
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build distributions