diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
index 635ee558..ca118a1e 100644
--- a/.github/workflows/build-images.yml
+++ b/.github/workflows/build-images.yml
@@ -12,6 +12,11 @@ env:
   OCI_CLI_TENANCY: ${{ secrets.OCI_CLI_TENANCY }}
   OCI_CLI_USER: ${{ secrets.OCI_CLI_USER }}
 
+# OCIR push uses OCI_AUTH_TOKEN + OCI_CLI_* secrets; default GITHUB_TOKEN
+# only needs read for the checkout.
+permissions:
+  contents: read
+
 jobs:
   build-dbmigrator-image:
     if: github.ref == 'refs/heads/main'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d7375552..aac60e42 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   linter-backend:
     runs-on: ubuntu-latest