diff --git a/.github/workflows/claude-review-manual.yml b/.github/workflows/claude-review-manual.yml
index 11bfc09..f31760c 100644
--- a/.github/workflows/claude-review-manual.yml
+++ b/.github/workflows/claude-review-manual.yml
@@ -13,10 +13,16 @@ on:
         default: false
         type: boolean
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   claude-review:
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
     uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-claude-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed
     with:
       pr_number: ${{ inputs.pr_number }}
diff --git a/.github/workflows/opencode-review-manual.yml b/.github/workflows/opencode-review-manual.yml
index aad74ff..aaed6b2 100644
--- a/.github/workflows/opencode-review-manual.yml
+++ b/.github/workflows/opencode-review-manual.yml
@@ -28,10 +28,16 @@ on:
         default: false
         type: boolean
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   opencode-review:
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
     uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-opencode-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed
     with:
       pr_number: ${{ inputs.pr_number }}