diff --git a/.changeset/lazy-ants-brush.md b/.changeset/lazy-ants-brush.md
new file mode 100644
index 000000000..b25b0fb9e
--- /dev/null
+++ b/.changeset/lazy-ants-brush.md
@@ -0,0 +1,7 @@
+---
+"skuba": patch
+---
+
+template/oss-npm-package: Lock down GitHub workflow permissions
+
+This aligns with [OpenSSF guidance](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions).
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 65193e49b..8f905f4d9 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -6,14 +6,19 @@
 name: CodeQL
 
 on:
-  push:
   pull_request:
+  push:
   schedule:
     - cron: '0 22 * * 0'
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
+    permissions:
+      actions: read
+      security-events: write
     runs-on: ubuntu-latest
 
     strategy:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c772ed0fe..e9ee657d8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,8 @@ on:
       - beta
       - master
 
+permissions: {}
+
 jobs:
   release:
     name: Publish & Deploy
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 7692eae89..98881ca76 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -15,9 +15,13 @@ on:
     workflows:
       - Release
 
+permissions: {}
+
 jobs:
   core:
     name: Lint & Test
+    permissions:
+      checks: write
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
diff --git a/template/oss-npm-package/.github/workflows/release.yml b/template/oss-npm-package/.github/workflows/release.yml
index 3791c324b..281bf3a6b 100644
--- a/template/oss-npm-package/.github/workflows/release.yml
+++ b/template/oss-npm-package/.github/workflows/release.yml
@@ -6,9 +6,13 @@ on:
       - beta
       - master
 
+permissions: {}
+
 jobs:
   release:
     name: Publish & Deploy
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
diff --git a/template/oss-npm-package/.github/workflows/validate.yml b/template/oss-npm-package/.github/workflows/validate.yml
index 3c2a69dff..0ea4e7969 100644
--- a/template/oss-npm-package/.github/workflows/validate.yml
+++ b/template/oss-npm-package/.github/workflows/validate.yml
@@ -4,9 +4,13 @@ on:
   - pull_request
   - push
 
+permissions: {}
+
 jobs:
   validate:
     name: Lint & Test
+    permissions:
+      checks: write
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo