diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0829085..b1008b1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,6 +18,10 @@ on:
         default: 'linux,macos,windows'
         type: string
 
+# Restrict GITHUB_TOKEN permissions for security
+permissions:
+  contents: read
+
 jobs:
   # Pre-build checks - fast failure for common issues
   lint: