diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml
index f3acc794e9..ab93e22320 100644
--- a/.github/workflows/github-pages.yml
+++ b/.github/workflows/github-pages.yml
@@ -4,8 +4,12 @@ on:
     tags:
       - '*'
 
+permissions: {}
 jobs:
   github-pages:
+    permissions:
+      contents: write # to push pages branch (peaceiris/actions-gh-pages)
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index b0d00f761a..ac78fe14ca 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,5 +1,7 @@
 name: main
 on: [ push, pull_request, merge_group ]
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -241,6 +243,8 @@ jobs:
           ~/.composer/vendor/bin/ocular code-coverage:upload --format=php-clover coverage-clover.xml
 
   release:
+    permissions:
+      contents: write # to create a release (actions/create-release)
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     steps: