diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index 0fc64c7..825f68c 100644
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -6,6 +6,9 @@ name: REUSE Compliance Check
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index 4b173df..bbffd88 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -3,6 +3,10 @@
 # SPDX-License-Identifier: CC0-1.0
 
 name: SonarQube
+
+permissions:
+  contents: read
+
 on:
   push:
     branches: