diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml
index b2b1b2734..1872ae11c 100644
--- a/.github/workflows/contrib.yml
+++ b/.github/workflows/contrib.yml
@@ -4,8 +4,13 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 67502ba88..d5a311d24 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -9,6 +9,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   # Check Code style quickly by running `rustfmt` over all code
   rustfmt:
@@ -149,6 +152,8 @@ jobs:
         sh linkcheck.sh --all cargo
 
   success:
+    permissions:
+      contents: none
     name: bors build finished
     needs: [docs, rustfmt, test, resolver, build_std]
     runs-on: ubuntu-latest
@@ -156,6 +161,8 @@ jobs:
     steps:
     - run: echo ok
   failure:
+    permissions:
+      contents: none
     name: bors build finished
     needs: [docs, rustfmt, test, resolver, build_std]
     runs-on: ubuntu-latest