diff --git a/.github/workflows/attach-release-artifacts.yml b/.github/workflows/attach-release-artifacts.yml
index 8778d9f94..9c0325116 100644
--- a/.github/workflows/attach-release-artifacts.yml
+++ b/.github/workflows/attach-release-artifacts.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write # gh release upload requires releases write
+
 jobs:
   attach-artifacts:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 59d8018d2..3ac009281 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest