diff --git a/.github/workflows/run_tests.yml b/.github/workflows/run_tests.yml
index 32a366a..c1ae20e 100644
--- a/.github/workflows/run_tests.yml
+++ b/.github/workflows/run_tests.yml
@@ -1,9 +1,15 @@
 name: Run tests
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   run-tests:
     name: Run tests
+    permissions:
+      contents: read
+      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -124,6 +130,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: run-tests
     if: ${{ always() }}
+    permissions:
+      actions: write
     steps:
       - name: Merge coverage
         uses: actions/upload-artifact/merge@v4
@@ -137,6 +145,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: merge-coverage
     if: ${{ always() }}
+    permissions:
+      contents: read
+      actions: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5