diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7d4be40..6a13168 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ on:
     branches:
     - main
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   RUST_VERSION_STABLE: 1.83.0
@@ -16,9 +19,14 @@ env:
 jobs:
   test:
     name: test
+    permissions:
+      contents: read
+      checks: write    # Required for test results
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@stable
     - run: cargo test
 
@@ -27,6 +35,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@stable
       with:
         components: rustfmt
@@ -37,7 +47,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: dtolnay/rust-toolchain@stable
       with:
         components: clippy
-    - run: cargo clippy
+    - run: cargo clippy
\ No newline at end of file
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index fe32977..5da50a8 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,12 +5,13 @@ on:
     types: [ published ]
 
 permissions:
-  pull-requests: write
-  contents: write
+  contents: read
 
 jobs:
   build:
     name: Build - ${{ matrix.target }}
+    permissions:
+      contents: write  # Only needed for release artifact uploads
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     strategy:
@@ -38,6 +39,8 @@ jobs:
     steps:
       - name: Checkout Git repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set Perl environment variables
         if: runner.os == 'Windows'
@@ -46,7 +49,7 @@ jobs:
           echo "OPENSSL_SRC_PERL=$((where.exe perl)[0])" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8
 
       - name: Install rust toolchain
-        if: ${{ !contains(matrix.platform.target, 'apple') }}
+        if: ${{ !contains(matrix.target, 'apple') }}
         uses: dtolnay/rust-toolchain@stable
 
       - uses: taiki-e/setup-cross-toolchain-action@v1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a1f9bc1..a47b6b2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,12 +6,14 @@ on:
       - main
 
 permissions:
-  pull-requests: write
-  contents: write
+  contents: read
 
 jobs:
   release:
     name: Release
+    permissions:
+      contents: write    # Only needed for creating releases
+      id-token: write   # Required for release-plz
     runs-on: ubuntu-latest
     concurrency:
       group: release-plz-${{ github.ref }}
@@ -20,6 +22,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           token: ${{ secrets.RELEASE_PLZ_TOKEN }}