diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
index d5d68d6..4cdb358 100644
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -17,8 +17,12 @@ on:
       - '**.md'
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   check-dist:
+    permissions:
+      contents: read # for actions/checkout to fetch code
     runs-on: ubuntu-latest
 
     steps: