diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index bc31d6a3c..68f55358f 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -6,9 +6,16 @@ on:
   schedule:
     - cron: '0 4 * * 6'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   CodeQL-Build:
 
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      security-events: write # (github/codeql-action/autobuild)
+
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
index c2c02ce9f..9600af215 100644
--- a/.github/workflows/node.js.yml
+++ b/.github/workflows/node.js.yml
@@ -2,6 +2,9 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   build:
     runs-on: ubuntu-latest