diff --git a/.github/workflows/prepare-cache.yml b/.github/workflows/prepare-cache.yml
index 5fac3c6c75..037bc3d0b3 100644
--- a/.github/workflows/prepare-cache.yml
+++ b/.github/workflows/prepare-cache.yml
@@ -7,6 +7,9 @@ on:
         required: true
         type: string
 
+permissions: # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   prepare-npm-cache:
     name: Prepare npm cache for ${{ inputs.os }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index aed42b3cde..fe15a08202 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,8 +7,14 @@ on:
         required: true
         type: string
 
+permissions: # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   test:
+    permissions:
+      checks: write # for coverallsapp/github-action to create new checks
+      contents: read # for actions/checkout to fetch code
     strategy:
       fail-fast: false
       matrix: