diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cdb56eb..a68a81f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,7 @@
 name: CI
 on: [push, pull_request]
+permissions:
+  contents: read
 jobs:
   build:
     name: Test on Ruby ${{ matrix.ruby_version }}, Rails ${{ matrix.rails_version }}, graphql-ruby ${{ matrix.graphql_version }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 225d283..49c8b65 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,12 +3,12 @@ on:
   release:
     types: [published]
   workflow_dispatch:
+permissions:
+  contents: write
+  id-token: write
 jobs:
   release:
     name: Release to RubyGems
-    permissions:
-      contents: write
-      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4