diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2cda6b9..2d033bb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,6 @@
 name: ci
+permissions:
+  contents: read
 on:
   pull_request:
   push:
@@ -16,6 +18,8 @@ jobs:
           profile: minimal
           components: rustfmt
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - run: cargo fmt --all -- --check
 
   clippy:
@@ -32,6 +36,8 @@ jobs:
           components: clippy
 
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - run: cargo clippy --all-features ---all-targets -- --deny warnings
 
@@ -58,6 +64,8 @@ jobs:
       - run: cargo install cargo-audit --vers "0.13.1"
 
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - run: cargo generate-lockfile
 
@@ -86,6 +94,8 @@ jobs:
       - run: cargo install cargo-deny --vers "0.8.4"
 
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - run: cargo deny check
 
@@ -114,6 +124,8 @@ jobs:
           toolchain: ${{ matrix.rust_channel }}
 
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - run: |
           cargo doc --all-features
@@ -152,6 +164,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - uses: actions-rs/toolchain@v1
         with:
@@ -193,6 +207,8 @@ jobs:
         run: sudo apt-get update -y
 
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - if: ${{ !contains(matrix.host_os, 'windows') }}
         run: RING_COVERAGE=1 mk/install-build-tools.sh --target=${{ matrix.target }} ${{ matrix.features }}