diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 090e8a2c7..cb0eb0bce 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     types: [ assigned, opened, synchronize, reopened, labeled ]
 name: ci
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index d8d53bf9d..ce806bd7d 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -3,8 +3,13 @@ on:
      branches:
        - main
 name: release-please
+permissions: {}
 jobs:
   release-please:
+    permissions:
+      contents: write # to create release commit (google-github-actions/release-please-action)
+      pull-requests: write # to create release PR (google-github-actions/release-please-action)
+
     runs-on: ubuntu-latest
     steps:
       - uses: google-github-actions/release-please-action@v3