diff --git a/.github/workflows/deploy b/.github/workflows/deploy
index ed556b9a..0cecb8ea 100644
--- a/.github/workflows/deploy
+++ b/.github/workflows/deploy
@@ -1,7 +1,23 @@
 name: Build with Hugo
 
 on: [push, pull_request]
-  
+
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+    actions: none
+    checks: none
+    contents: write
+    deployments: none
+    id-token: none
+    issues: none
+    packages: none
+    pages: none
+    pull-requests: none
+    repository-projects: none
+    security-events: none
+    statuses: none
+
 jobs:
   deploy:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/deploy_docsy.yml b/.github/workflows/deploy_docsy.yml
index 3d916822..08264837 100644
--- a/.github/workflows/deploy_docsy.yml
+++ b/.github/workflows/deploy_docsy.yml
@@ -5,6 +5,22 @@ on:
     branches:
       - main
 
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+    actions: none
+    checks: none
+    contents: write
+    deployments: none
+    id-token: none
+    issues: none
+    packages: none
+    pages: none
+    pull-requests: none
+    repository-projects: none
+    security-events: none
+    statuses: none
+
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch: