diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml
index e59265aea1e..f7f54771bd6 100644
--- a/.github/workflows/CICD.yml
+++ b/.github/workflows/CICD.yml
@@ -17,6 +17,9 @@ env:
 
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   cargo-deny:
     name: Style/cargo-deny
@@ -532,6 +535,9 @@ jobs:
         path: size-result.json
 
   build:
+    permissions:
+      contents: write # to create GitHub release (softprops/action-gh-release)
+
     name: Build
     needs: [ min_version, deps ]
     runs-on: ${{ matrix.job.os }}
diff --git a/.github/workflows/GnuTests.yml b/.github/workflows/GnuTests.yml
index 2820c8eaedf..b36a97cacfe 100644
--- a/.github/workflows/GnuTests.yml
+++ b/.github/workflows/GnuTests.yml
@@ -6,6 +6,9 @@ name: GnuTests
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   gnu:
     permissions: