diff --git a/.github/workflows/release-composite.yml b/.github/workflows/release-composite.yml
index 3e0a8c2..c47da8f 100644
--- a/.github/workflows/release-composite.yml
+++ b/.github/workflows/release-composite.yml
@@ -16,6 +16,7 @@ permissions:
   # NOTE: individual jobs define more narrowly scoped permissions.
   # Release requires so must be defined here
   contents: write
+  actions: read
 
 jobs:
   lint:
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 14ea5c6..8a40390 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -14,6 +14,7 @@ permissions:
   actions: read
   contents: read
   security-events: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.action }}
   cancel-in-progress: true