diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bbd1184c9878..9b5f99543b60 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,8 @@ on:
     branches:
       - main
   pull_request:
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
diff --git a/.github/workflows/combine-prs.yml b/.github/workflows/combine-prs.yml
index e0b360e53f4c..17f7f55b1a2e 100644
--- a/.github/workflows/combine-prs.yml
+++ b/.github/workflows/combine-prs.yml
@@ -15,6 +15,9 @@ on:
         required: true
         default: 'combine-prs-branch'
 
+permissions:
+  pull-requests: write
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "combine-prs"