diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 5816721..d0b406b 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -19,6 +19,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index 0c3715b..6b2742a 100644
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -3,6 +3,8 @@
 # SPDX-License-Identifier: CC0-1.0
 
 name: REUSE Compliance Check
+permissions:
+  contents: read
 
 on: [push, pull_request]