diff --git a/.github/workflows/format-check.yml b/.github/workflows/format-check.yml
index 0a31794..25a9d43 100644
--- a/.github/workflows/format-check.yml
+++ b/.github/workflows/format-check.yml
@@ -3,6 +3,9 @@ name: Format checks
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   format-check:
     name: FILE FORMAT
diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml
index bb00329..a3449c6 100644
--- a/.github/workflows/link-check.yml
+++ b/.github/workflows/link-check.yml
@@ -3,6 +3,9 @@ name: Link checks
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   link-check:
     name: LINK checking
diff --git a/.github/workflows/spell-check.yml b/.github/workflows/spell-check.yml
index 71217d8..3a7d882 100644
--- a/.github/workflows/spell-check.yml
+++ b/.github/workflows/spell-check.yml
@@ -3,6 +3,9 @@ name: Spelling checks
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   spelling-check:
     name: SPELLING check
diff --git a/.github/workflows/trigger-contribute-site-netlify.yml b/.github/workflows/trigger-contribute-site-netlify.yml
index db81972..9846eff 100644
--- a/.github/workflows/trigger-contribute-site-netlify.yml
+++ b/.github/workflows/trigger-contribute-site-netlify.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [main]
 
+# Only posts to NETLIFY_CONTRIBUTE_SITE_BUILD_HOOK; no GitHub API.
+permissions: {}
+
 jobs:
   trigger:
     runs-on: ubuntu-latest