diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 20dea514ed..a58af7a0f2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,6 +19,9 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/todo-to-issue.yml b/.github/workflows/todo-to-issue.yml
index ff2b43ef1f..20dface723 100644
--- a/.github/workflows/todo-to-issue.yml
+++ b/.github/workflows/todo-to-issue.yml
@@ -22,6 +22,10 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: write   # the workflow pushes a commit back to the PR head branch
+  issues: write     # alstr/todo-to-issue-action creates issues for TODOs
+
 jobs:
   build:
     runs-on: ubuntu-latest