diff --git a/.github/workflows/build_and_run.yml b/.github/workflows/build_and_run.yml
index abe16988..959092aa 100644
--- a/.github/workflows/build_and_run.yml
+++ b/.github/workflows/build_and_run.yml
@@ -4,6 +4,9 @@
 
 name: build and run
 
+# Declare default permissions as read only.
+permissions: read-all
+
 on:
   pull_request:
 
diff --git a/.github/workflows/conda-package.yml b/.github/workflows/conda-package.yml
index 8dd24fdc..e11d8430 100644
--- a/.github/workflows/conda-package.yml
+++ b/.github/workflows/conda-package.yml
@@ -4,6 +4,9 @@
 
 name: Conda package
 
+# Declare default permissions as read only.
+permissions: read-all
+
 on:
   push:
     branches:
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 383be9c2..31439758 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -4,6 +4,9 @@
 
 name: pre-commit
 
+# Declare default permissions as read only.
+permissions: read-all
+
 on:
   pull_request: