diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2380a13de..bffa22f78 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,10 +19,14 @@ on:
       - sdk-release/**
       - feature/**
 
+permissions: {}
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
 
     steps:
     - uses: extractions/setup-just@v2
@@ -45,6 +49,8 @@ jobs:
     name: Test (${{ matrix.ruby-version }})
     # this version of jruby isn't available in the new latest (24.04) so we have to pin (or update jruby)
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     strategy:
       matrix:
         # following https://docs.stripe.com/sdks/versioning?lang=ruby#stripe-sdk-language-version-support-policy
@@ -70,6 +76,8 @@ jobs:
       endsWith(github.actor, '-stripe')
     needs: [build, test]
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - name: Download all workflow run artifacts
       uses: actions/download-artifact@v4
diff --git a/.github/workflows/rules.yml b/.github/workflows/rules.yml
index 21d6c0989..b7d9c0d8b 100644
--- a/.github/workflows/rules.yml
+++ b/.github/workflows/rules.yml
@@ -7,6 +7,8 @@ on:
     types:
       - auto_merge_enabled
 
+permissions: {}
+
 jobs:
   require_merge_commit_on_merge_script_pr:
     name: Merge script PRs must create merge commits