diff --git a/assets/github/onbranch.tmpl b/assets/github/onbranch.tmpl
index 4bc252a1..04ee6803 100644
--- a/assets/github/onbranch.tmpl
+++ b/assets/github/onbranch.tmpl
@@ -5,6 +5,10 @@ on:
  pull_request:
    types: [opened, synchronize, reopened, closed]
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   on_pr:
     if: github.event.action != 'closed'
diff --git a/assets/github/onmain.tmpl b/assets/github/onmain.tmpl
index 9776cbb9..d747c88d 100644
--- a/assets/github/onmain.tmpl
+++ b/assets/github/onmain.tmpl
@@ -6,6 +6,10 @@ on:
     branches:
       - {{ .DefaultBranch }}
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   cli:
     runs-on: ubuntu-latest