diff --git a/.github/workflows/linux-flatpak.yml b/.github/workflows/linux-flatpak.yml
index 439f45327..0db9f2548 100644
--- a/.github/workflows/linux-flatpak.yml
+++ b/.github/workflows/linux-flatpak.yml
@@ -43,6 +43,8 @@ jobs:
           - arch: aarch64
             runner: ubuntu-24.04-arm
     runs-on: ${{ matrix.variant.runner }}
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -133,6 +135,8 @@ jobs:
     name: Verify maven sources
     runs-on: ubuntu-latest
     needs: [build-flatpak]
+    permissions:
+      contents: none
     steps:
       - name: Download updated maven aarch64 dependencies
         uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
@@ -152,6 +156,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [get-version, verify-maven-sources]
     if:  github.event_name == 'workflow_dispatch' && inputs.create-pr || github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable'
+    permissions:
+      contents: write
     env:
       TARBALL_URL: 'https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ needs.get-version.outputs.semVerStr || github.event.release.tag_name }}.tar.gz'
     steps: