diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 660040a0..ddd971bc 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '29 8 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml
index b901bd78..3261e292 100644
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -16,6 +16,10 @@ on:
   schedule:
     - cron: '0 20 * * SUN' # every Sunday at 20 am UTC: PST 0:00 AM "
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale-close:
     runs-on: ubuntu-22.04