diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml
index 308f764..d03a90b 100644
--- a/.github/workflows/coveralls.yml
+++ b/.github/workflows/coveralls.yml
@@ -1,22 +1,26 @@
 name: LibraryOfCongress/tests-bagit-python
+permissions: {}
+
 on:
-  workflow_dispatch:
+    workflow_dispatch:
 jobs:
-  test:
-    runs-on: ubuntu-16.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3.5.0
-    - uses: actions/setup-python@v4.6.0
-      with:
-        python-version: "${{ matrix.python }}"
-    - run: apt-get -y install gettext
-    - run: pip install --upgrade pip
-    - run: pip install coveralls coverage
-    - run: coverage run --include=bagit.py setup.py test
-    - run: coveralls
-      if: "${{ success() }}"
-    strategy:
-      matrix:
-        python:
-        - '3.10'
+    test:
+        permissions:
+            contents: read
+        runs-on: ubuntu-16.04
+        steps:
+            - name: checkout
+              uses: actions/checkout@v3.5.0
+            - uses: actions/setup-python@v4.6.0
+              with:
+                  python-version: "${{ matrix.python }}"
+            - run: apt-get -y install gettext
+            - run: pip install --upgrade pip
+            - run: pip install coveralls coverage
+            - run: coverage run --include=bagit.py setup.py test
+            - run: coveralls
+              if: "${{ success() }}"
+        strategy:
+            matrix:
+                python:
+                    - "3.10"
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
index 004de62..1250573 100644
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -1,10 +1,13 @@
 name: "PyPI releases"
+permissions: {}
 
 on: release
 
 jobs:
     build_sdist:
         name: Build Python source distribution
+        permissions:
+            contents: read
         runs-on: ubuntu-latest
         steps:
             - uses: actions/checkout@v3
@@ -19,14 +22,14 @@ jobs:
     pypi-publish:
         name: Upload release to PyPI
         if: github.event_name == 'release' && github.event.action == 'published'
+        permissions:
+            id-token: write
         needs:
             - build_sdist
         runs-on: ubuntu-latest
         environment:
             name: pypi
             url: https://pypi.org/p/bagit
-        permissions:
-            id-token: write
         steps:
             - uses: actions/download-artifact@v4
               with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ed2dfcc..f4cc7f9 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,4 +1,5 @@
 name: Test
+permissions: {}
 
 on:
     push:
@@ -8,6 +9,8 @@ on:
 
 jobs:
     ruff: # https://docs.astral.sh/ruff
+        permissions:
+            contents: read
         runs-on: ubuntu-latest
         steps:
             - uses: actions/checkout@v4
@@ -16,11 +19,14 @@ jobs:
 
     test:
         needs: ruff
+        permissions:
+            contents: read
         runs-on: ubuntu-latest
         strategy:
             fail-fast: false
             matrix:
-                python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+                python-version:
+                    ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
         steps:
             - uses: actions/checkout@v4
             - name: Set up Python ${{ matrix.python-version }}