diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 9bbc868..e255680 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -5,6 +5,10 @@ on:
       - '*'
   pull_request:
 
+# Restrict the GITHUB_TOKEN to read-only by default for all jobs.
+# Individual jobs that require write access should declare it explicitly.
+permissions: read-all
+
 jobs:
   lint:
     name: ${{ matrix.os }}${{ matrix.arch }} - Python ${{ matrix.version }} - lint
@@ -59,6 +63,8 @@ jobs:
   publish:
     needs: tests
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+    permissions:
+      contents: read  # minimum needed to check out source for sdist build
     uses: Drakkar-Software/.github/.github/workflows/python3_sdist_workflow.yml@master
     secrets:
       PYPI_OFFICIAL_UPLOAD_URL: ${{ secrets.PYPI_OFFICIAL_UPLOAD_URL }}