diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index f30964c27..6ee5c74cc 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -56,6 +56,9 @@ jobs:
         uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
 
   workflow-notification:
+    permissions:
+      contents: read
+      issues: write
     needs:
       - analyze
     if: always()
diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml
index 62175e635..65a042ff5 100644
--- a/.github/workflows/owasp-dependency-check-daily.yml
+++ b/.github/workflows/owasp-dependency-check-daily.yml
@@ -40,6 +40,9 @@ jobs:
           path: "**/build/reports"
 
   workflow-notification:
+    permissions:
+      contents: read
+      issues: write
     needs:
       - analyze
     if: always()
diff --git a/.github/workflows/reusable-workflow-notification.yml b/.github/workflows/reusable-workflow-notification.yml
index a7223ffa2..701f90f5a 100644
--- a/.github/workflows/reusable-workflow-notification.yml
+++ b/.github/workflows/reusable-workflow-notification.yml
@@ -9,8 +9,14 @@ on:
         type: boolean
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   workflow-notification:
+    permissions:
+      contents: read
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -19,7 +25,8 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          number=$(gh issue list --search "Workflow failed: $GITHUB_WORKFLOW" --limit 1 --json number -q .[].number)
+          # TODO (trask) search doesn't support exact phrases, so it's possible that this could grab the wrong issue
+          number=$(gh issue list --search "in:title Workflow failed: $GITHUB_WORKFLOW" --limit 1 --json number -q .[].number)
 
           echo $number
           echo ${{ inputs.success }}