diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0a5c46d..95deeb9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,8 @@ on:
   pull_request:
   schedule:
     - cron: '15 3 * * 1'
+permissions:
+  contents: read
 jobs:
   php-lint:
     name: "PHP linter"
diff --git a/.github/workflows/codecoverage.yml b/.github/workflows/codecoverage.yml
index a69063c..4bd511c 100644
--- a/.github/workflows/codecoverage.yml
+++ b/.github/workflows/codecoverage.yml
@@ -6,9 +6,13 @@ on:
     branches:
       - main
   pull_request:
+permissions:
+  contents: read
 jobs:
   code-coverage:
     name: "Calculate code coverage"
+    permissions:
+      actions: write
     runs-on: ubuntu-22.04
     env:
       DB_DATABASE: typo3
diff --git a/.github/workflows/predefined.yml b/.github/workflows/predefined.yml
index ac46ce8..e8195e9 100644
--- a/.github/workflows/predefined.yml
+++ b/.github/workflows/predefined.yml
@@ -8,6 +8,8 @@
 name: CI with predefined GitHub actions
 on:
   workflow_dispatch:
+permissions:
+  contents: read
 jobs:
   php-lint:
     name: "PHP linter"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5dd48da..112363c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,9 +4,12 @@ on:
   push:
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+'
-
+permissions:
+  contents: read
 jobs:
   publish:
+    permissions:
+      actions: write
     runs-on: ubuntu-22.04
     steps:
       - name: "Checkout"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 48940ce..173afb5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ This project adheres to [Semantic Versioning](https://semver.org/).
 ## x.y.z
 
 ### Added
+- Harden the GitHub Actions workflows (#649)
 - Add support for TYPO3 12 (#652)
 - Add `.gitignore` entry for JetBrains Fleet editor (#642)