diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 61b5f83a..a594c498 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,6 @@
 ---
 name: Jekyll CI
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -22,6 +21,8 @@ concurrency:
 jobs:
   call-jekyll-build:
     uses: ./.github/workflows/jekyll-build.yml
+    permissions:
+      contents: read
     secrets:
       GH_BOT_EMAIL: ${{ secrets.GH_BOT_EMAIL }}
       GH_BOT_NAME: ${{ secrets.GH_BOT_NAME }}
diff --git a/.github/workflows/jekyll-build.yml b/.github/workflows/jekyll-build.yml
index a0ad40e6..a337659d 100644
--- a/.github/workflows/jekyll-build.yml
+++ b/.github/workflows/jekyll-build.yml
@@ -1,7 +1,6 @@
 ---
 name: Build Jekyll
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
@@ -71,6 +70,8 @@ env:
 jobs:
   build:
     name: Build Jekyll
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Input validation
@@ -235,8 +236,10 @@ jobs:
       (github.event_name == 'push' && github.ref == 'refs/heads/master') ||
       github.event_name == 'schedule' ||
       github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout gh-pages
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2