diff --git a/.github/workflows/ci-actions.yaml b/.github/workflows/ci-actions.yaml
index 3bb3b71..cf9533b 100644
--- a/.github/workflows/ci-actions.yaml
+++ b/.github/workflows/ci-actions.yaml
@@ -7,19 +7,16 @@ on:
     branches: ["**"]
 
 permissions:
-  contents: read
+  contents: read # Needed to checkout the repository.
 
 jobs:
   zizmor:
     name: zizmor
     runs-on: ubuntu-latest
     permissions:
-      # write is needed to upload security events to GitHub code scanning.
-      security-events: write
-      # we only need to read the contents of the repository.
-      contents: read
-      # we only need to read the action metadata.
-      actions: read
+      security-events: write # Needed to upload code scanning results.
+      contents: read # Needed to checkout the repository.
+      actions: read # Needed to analyze action metadata.
     steps:
     - name: harden runner
       uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
diff --git a/.github/workflows/ci-code.yaml b/.github/workflows/ci-code.yaml
index 43515a4..740c99d 100644
--- a/.github/workflows/ci-code.yaml
+++ b/.github/workflows/ci-code.yaml
@@ -9,8 +9,7 @@ on:
     - main
 
 permissions:
-  # we only need to read the contents of the repository.
-  contents: read
+  contents: read # Needed to checkout the repository.
 
 jobs:
   rustfmt:
diff --git a/.github/workflows/release-assets.yaml b/.github/workflows/release-assets.yaml
index 3a07604..6499b57 100644
--- a/.github/workflows/release-assets.yaml
+++ b/.github/workflows/release-assets.yaml
@@ -6,14 +6,13 @@ on:
     - created
 
 permissions:
-  contents: read
+  contents: read # Needed to checkout the repository.
 
 jobs:
   assets:
     name: assets
     permissions:
-      # write is needed to upload release artifacts.
-      contents: write
+      contents: write # Needed to upload release assets.
     runs-on: ubuntu-latest
     steps:
     - name: harden runner