diff --git a/.github/workflows/docs-deploy.yaml b/.github/workflows/docs-deploy.yaml
index 1769585c..c45c606b 100644
--- a/.github/workflows/docs-deploy.yaml
+++ b/.github/workflows/docs-deploy.yaml
@@ -13,6 +13,9 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions:
+  contents: write
+
 jobs:
   deploy-docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/example-layout-slots-deploy.yaml b/.github/workflows/example-layout-slots-deploy.yaml
index e0a877c5..085fd8d0 100644
--- a/.github/workflows/example-layout-slots-deploy.yaml
+++ b/.github/workflows/example-layout-slots-deploy.yaml
@@ -6,6 +6,9 @@ on:
       - v*
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   deploy-docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 98062875..629b3b6b 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -8,6 +8,9 @@ on:
     branches: [main]
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 8ba3525e..ddbfdce6 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,6 +5,10 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   lint:
     uses: ./.github/workflows/lint.yaml
@@ -16,9 +20,6 @@ jobs:
     if: github.repository == 'pengzhanbo/vuepress-theme-plume'
     needs: [test, lint]
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      id-token: write
     steps:
       - uses: actions/checkout@v6
         with:
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 451ef063..6586038b 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -8,6 +8,9 @@ on:
     branches: [main]
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   unit-test:
     runs-on: ubuntu-latest