diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5bf78a56..f995f8d7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: Continuous Integration
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -12,6 +15,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        persist-credentials: false
 
     - name: Set up Python 3.13 for emulator
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
@@ -53,6 +58,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        persist-credentials: false
     - name: Set up Python 3.9
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
       with:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index d60b3cd0..3a9d14c7 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -22,6 +22,9 @@ on:
   repository_dispatch:
     types: [firebase_nightly_build]
 
+permissions:
+  contents: read
+
 jobs:
   nightly:
 
@@ -32,6 +35,7 @@ jobs:
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
       with:
         ref: ${{ github.event.client_payload.ref || github.ref }}
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6bbf19aa..aaab4c8d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,6 +32,9 @@ on:
     types:
       - firebase_build
 
+permissions:
+  contents: read
+
 jobs:
   stage_release:
     # To publish a release, merge a PR with the title prefix '[chore] Release ' to main
@@ -47,6 +50,8 @@ jobs:
     steps:
     - name: Checkout source for staging
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
@@ -106,6 +111,9 @@ jobs:
     steps:
     - name: Checkout source for publish
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # 4.3.1
+      with:
+        # Ignored since the GITHUB_TOKEN needs to be persisted for this workflow.
+        persist-credentials: true # zizmor: ignore[artipacked]
 
     # Download the artifacts created by the stage_release job.
     - name: Download release candidates