diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml
index 664863a8ace..b7b6a6c3190 100644
--- a/.github/workflows/codeql-daily.yml
+++ b/.github/workflows/codeql-daily.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     runs-on: ubuntu-latest
 
     steps: