diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index a4eee9a2..ad54b886 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -11,8 +11,15 @@ on:
     - cron: "0 7 * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: read
+      actions: write
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
@@ -85,6 +92,9 @@ jobs:
         if: matrix.runner-os == 'ubuntu-latest'
 
   upload-event-file:
+    permissions:
+      contents: read
+      actions: write
     runs-on: ubuntu-latest
     steps:
       # This is used by the subsequent publish-test-results.yaml
@@ -95,6 +105,9 @@ jobs:
           path: ${{ github.event_path }}
 
   build-for-e2e-test:
+    permissions:
+      contents: read
+      actions: write
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == 'github'
     strategy:
       fail-fast: false
@@ -140,11 +153,12 @@ jobs:
             dist/win-x64/gei-windows-amd64.exe
 
   e2e-test:
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == 'github'
-    needs: [build-for-e2e-test]
     permissions:
-      checks: write
       contents: read
+      actions: write
+      checks: write
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == 'github'
+    needs: [build-for-e2e-test]
     strategy:
       fail-fast: false
       matrix:
@@ -279,6 +293,8 @@ jobs:
         shell: pwsh
 
   publish:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v')
     needs: [build, e2e-test]