diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 514282fff..a59049976 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,9 @@ on:
     - v[1-9].*
     - prep-v[1-9].*
 
+permissions:
+  contents: read
+
 env:
   BUILDTIME_BASE: "golang:1.25.1-alpine3.22"
   RUNTIME_BASE: "alpine:3.22"
@@ -183,6 +186,8 @@ jobs:
   ci-goreleaser-tag:
     runs-on: ubuntu-latest
     if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+    permissions:
+      contents: write
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v6
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 64fe6e520..e8b1fb428 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -18,6 +18,11 @@ on:
     #        *  * * * *
     - cron: '30 1 * * 0'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   CodeQL-Build:
     # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest