diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index 61af98137..f2ef39ea0 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -6,6 +6,8 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions: read-all
+
 jobs:
   govulncheck:
     name: govulncheck
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 29c1f3098..e8fdaaa51 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 # Note the only differences between release and canary-release jobs are:
 # - only canary passes --overwrite flag
 # - the VERSION make variable passed to 'make dist checksum' is expected to