diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7149ce8..80a28e0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ["main", "dev"]
 
+permissions:
+  contents: read
+
 jobs:
   test-python:
     name: Test Python
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4b6e638..0c62bfe 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,11 @@ on:
     tags:
       - "**"
 
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -44,6 +49,9 @@ jobs:
 
   push-docker-backend:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -90,6 +98,9 @@ jobs:
 
   push-docker-frontend:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -137,6 +148,8 @@ jobs:
   create-github-release:
     name: Create GitHub Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs: [build, publish-to-pypi, push-docker-backend, push-docker-frontend]
     steps:
       - name: Checkout