diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml
index 0e04459..e22d821 100644
--- a/.github/workflows/_build.yaml
+++ b/.github/workflows/_build.yaml
@@ -8,9 +8,6 @@
 
 name: Build
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -21,6 +18,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Build:
     runs-on: ${{ inputs.os }}
diff --git a/.github/workflows/_build_doc.yaml b/.github/workflows/_build_doc.yaml
index 1cdd0bc..d92fe46 100644
--- a/.github/workflows/_build_doc.yaml
+++ b/.github/workflows/_build_doc.yaml
@@ -7,9 +7,6 @@
 
 name: Build Doc
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -20,6 +17,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Build:
     runs-on: ${{ inputs.os }}
diff --git a/.github/workflows/_codecov.yaml b/.github/workflows/_codecov.yaml
index 7a0c10b..6cd3b0d 100644
--- a/.github/workflows/_codecov.yaml
+++ b/.github/workflows/_codecov.yaml
@@ -8,9 +8,6 @@
 
 name: CodeCov
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -21,6 +18,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 concurrency:
   group: codecov-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/_codeql.yaml b/.github/workflows/_codeql.yaml
index ed82dde..1b36a1a 100644
--- a/.github/workflows/_codeql.yaml
+++ b/.github/workflows/_codeql.yaml
@@ -15,6 +15,12 @@ name: CodeQL
 on:
   workflow_call:
 
+# Don't change this permissions. These must match those of the analyze job.
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/_pre_commit.yaml b/.github/workflows/_pre_commit.yaml
index cefd7e4..1d583ea 100644
--- a/.github/workflows/_pre_commit.yaml
+++ b/.github/workflows/_pre_commit.yaml
@@ -7,12 +7,11 @@
 
 name: Pre-Commit
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
 
+permissions: read-all
+
 jobs:
   Pre-Commit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/_pypi_publish.yaml b/.github/workflows/_pypi_publish.yaml
index 9220545..22b0f5a 100644
--- a/.github/workflows/_pypi_publish.yaml
+++ b/.github/workflows/_pypi_publish.yaml
@@ -9,9 +9,6 @@
 
 name: PyPI Publish
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -22,6 +19,8 @@ on:
       API_TOKEN:
         required: true
 
+permissions: read-all
+
 jobs:
   PyPI-Publish:
     name: Upload to ${{ inputs.REPOSITORY_URL }}
diff --git a/.github/workflows/_test.yaml b/.github/workflows/_test.yaml
index 07c69dd..0f09f04 100644
--- a/.github/workflows/_test.yaml
+++ b/.github/workflows/_test.yaml
@@ -7,9 +7,6 @@
 
 name: Test Spot
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -20,6 +17,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Test:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}