diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 5a51a99..1fdff8a 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml
index 8511fa9..8a6f52a 100644
--- a/.github/workflows/pr_title.yml
+++ b/.github/workflows/pr_title.yml
@@ -7,6 +7,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: Validate PR title
@@ -44,7 +47,7 @@ jobs:
           # special "[WIP]" prefix to indicate this state. This will avoid the
           # validation of the PR title and the pull request checks remain pending.
           # Note that a second check will be reported if this is enabled.
-          wip: true
+          wip: false
           # When using "Squash and merge" on a PR with only one commit, GitHub
           # will suggest using that commit message instead of the PR title for the
           # merge commit, and it's easy to commit this by mistake. Enable this option
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 4a4208e..f1bf021 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -2,27 +2,30 @@ name: publish
 on:
   push:
     tags:
-      - 'v*.*.*'
+      - "v*.*.*"
+
+permissions:
+  contents: read
 
 jobs:
-   pypi-publish:
-     name: upload release to PyPI
-     runs-on: ubuntu-latest
-     permissions:
-       # IMPORTANT: this permission is mandatory for trusted publishing
-       id-token: write
-     steps:
-       - name: Checkout
-         uses: actions/checkout@v5
-       - name: Set up Python
-         uses: actions/setup-python@v5
-         with:
-           python-version: '3.13'
-       - name: Install dependencies
-         run: |
-           pip install -r requirements.txt
-           pip install build
-       - name: Build package
-         run: python -m build
-       - name: Publish package distributions to PyPI
-         uses: pypa/gh-action-pypi-publish@release/v1
+  pypi-publish:
+    name: upload release to PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Install dependencies
+        run: |
+          pip install -r requirements.txt
+          pip install build
+      - name: Build package
+        run: python -m build
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml
index a431fe5..5cbe3ae 100644
--- a/.github/workflows/release_pr.yml
+++ b/.github/workflows/release_pr.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   release-please:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml
index ace8939..484fdbc 100644
--- a/.github/workflows/unittest.yml
+++ b/.github/workflows/unittest.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test:
     timeout-minutes: 30
@@ -16,7 +19,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: "3.13"
       - name: Install dependencies
         run: |
           pip install --upgrade pip