diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e467b3e50b1..8010769f72c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,6 +32,9 @@ jobs:
       - run: nox -s docs
 
   determine-changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     outputs:
       tests: ${{ steps.filter.outputs.tests }}
diff --git a/.github/workflows/news-file.yml b/.github/workflows/news-file.yml
index da7119a5573..517be7d477d 100644
--- a/.github/workflows/news-file.yml
+++ b/.github/workflows/news-file.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [labeled, unlabeled, opened, reopened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   check-news-entry:
     name: news entry