diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 92be0c52b..0ad9122e7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,6 +8,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
diff --git a/new-package/github/workflows/test.yml b/new-package/github/workflows/test.yml
index c50af58c2..494515767 100644
--- a/new-package/github/workflows/test.yml
+++ b/new-package/github/workflows/test.yml
@@ -4,6 +4,9 @@ name: CI
 # events but only for the main branch
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
@@ -64,6 +67,9 @@ jobs:
   publish:
     needs: [test] # make sure all your other jobs succeed before trying to publish
 
+    permissions:
+      contents: write
+
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
diff --git a/test/run-snapshots/elm-review-something-for-new-rule/.github/workflows/test.yml b/test/run-snapshots/elm-review-something-for-new-rule/.github/workflows/test.yml
index c50af58c2..494515767 100644
--- a/test/run-snapshots/elm-review-something-for-new-rule/.github/workflows/test.yml
+++ b/test/run-snapshots/elm-review-something-for-new-rule/.github/workflows/test.yml
@@ -4,6 +4,9 @@ name: CI
 # events but only for the main branch
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
@@ -64,6 +67,9 @@ jobs:
   publish:
     needs: [test] # make sure all your other jobs succeed before trying to publish
 
+    permissions:
+      contents: write
+
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
diff --git a/test/run-snapshots/elm-review-something/.github/workflows/test.yml b/test/run-snapshots/elm-review-something/.github/workflows/test.yml
index c50af58c2..494515767 100644
--- a/test/run-snapshots/elm-review-something/.github/workflows/test.yml
+++ b/test/run-snapshots/elm-review-something/.github/workflows/test.yml
@@ -4,6 +4,9 @@ name: CI
 # events but only for the main branch
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test:
@@ -64,6 +67,9 @@ jobs:
   publish:
     needs: [test] # make sure all your other jobs succeed before trying to publish
 
+    permissions:
+      contents: write
+
     # The type of runner that the job will run on
     runs-on: ubuntu-latest