diff --git a/.github/workflows/_ci-node.yml b/.github/workflows/_ci-node.yml
index 0e0d0cc..d1cc10b 100644
--- a/.github/workflows/_ci-node.yml
+++ b/.github/workflows/_ci-node.yml
@@ -8,14 +8,13 @@
 # This will run standard CI for Node.js/npm/TypeScript projects.
 
 name: CI-Node
-permissions:
-  contents: write  # required for release_setup action
+permissions: {}
 
 on:
+  pull_request:
   push:
     branches:
       - master
-  pull_request:
 
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
@@ -26,6 +25,8 @@ jobs:
     name: CI-Node
     uses: LizardByte/.github/.github/workflows/__call-ci-node.yml@master
     if: ${{ github.repository != 'LizardByte/.github' }}
+    permissions:
+      contents: write  # required for release_setup action
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       GH_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
diff --git a/.github/workflows/_codeql.yml b/.github/workflows/_codeql.yml
index 15c5a6f..5569a2e 100644
--- a/.github/workflows/_codeql.yml
+++ b/.github/workflows/_codeql.yml
@@ -4,16 +4,13 @@
 # the above-mentioned repo.
 
 name: CodeQL
-permissions:
-  actions: read
-  contents: read
-  security-events: write
+permissions: {}
 
 on:
+  pull_request:
   push:
     branches:
       - master
-  pull_request:
   schedule:
     - cron: '00 12 * * 0'  # every Sunday at 12:00 UTC
 
@@ -26,3 +23,7 @@ jobs:
     name: CodeQL
     uses: LizardByte/.github/.github/workflows/__call-codeql.yml@master
     if: ${{ github.repository != 'LizardByte/.github' }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
diff --git a/.github/workflows/_common-lint.yml b/.github/workflows/_common-lint.yml
index 80be0cc..e7760cb 100644
--- a/.github/workflows/_common-lint.yml
+++ b/.github/workflows/_common-lint.yml
@@ -4,8 +4,7 @@
 # the above-mentioned repo.
 
 name: common lint
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -19,3 +18,5 @@ jobs:
     name: Common Lint
     uses: LizardByte/.github/.github/workflows/__call-common-lint.yml@master
     if: ${{ github.repository != 'LizardByte/.github' }}
+    permissions:
+      contents: read
diff --git a/.github/workflows/_update-docs.yml b/.github/workflows/_update-docs.yml
index 6dd66c5..863f92d 100644
--- a/.github/workflows/_update-docs.yml
+++ b/.github/workflows/_update-docs.yml
@@ -28,6 +28,7 @@ jobs:
     name: Update docs
     uses: LizardByte/.github/.github/workflows/__call-update-docs.yml@master
     if: github.repository_owner == 'LizardByte'
+    permissions: {}
     with:
       readthedocs_slug: ${{ vars.READTHEDOCS_SLUG }}
     secrets:
diff --git a/.github/workflows/_update-npm.yml b/.github/workflows/_update-npm.yml
index 3047c0a..df4e212 100644
--- a/.github/workflows/_update-npm.yml
+++ b/.github/workflows/_update-npm.yml
@@ -8,10 +8,7 @@
 # Update NPM packages on release events.
 
 name: Update NPM
-permissions:
-  contents: read
-  id-token: write  # required for provenance and OIDC
-  packages: write
+permissions: {}
 
 on:
   release:
@@ -27,5 +24,9 @@ jobs:
     name: Update NPM
     uses: LizardByte/.github/.github/workflows/__call-update-npm.yml@master
     if: github.repository_owner == 'LizardByte'
+    permissions:
+      contents: read
+      id-token: write  # required for provenance and OIDC
+      packages: write
     with:
       release_version: ${{ github.event.release.tag_name }}