diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml
index 0e9204d..ef06b5e 100644
--- a/.github/workflows/ci-java.yml
+++ b/.github/workflows/ci-java.yml
@@ -28,7 +28,13 @@ on:
         type: string
         default: ''
 
-permissions: read-all
+# Reusable workflows can only request permissions the *caller* has granted.
+# `read-all` here breaks any caller that scopes permissions narrower than
+# read-all (e.g. cycles-server's ci.yml grants only `contents: read`), causing
+# `startup_failure` with: "workflow is requesting ... but is only allowed ...".
+# Match the caller-friendly pattern: declare only what we actually need.
+permissions:
+  contents: read
 
 jobs:
   test:
diff --git a/.github/workflows/ci-python.yml b/.github/workflows/ci-python.yml
index aea7857..4232aa5 100644
--- a/.github/workflows/ci-python.yml
+++ b/.github/workflows/ci-python.yml
@@ -16,7 +16,13 @@ on:
         type: boolean
         default: true
 
-permissions: read-all
+# Reusable workflows can only request permissions the *caller* has granted.
+# `read-all` here breaks any caller that scopes permissions narrower than
+# read-all (e.g. cycles-server's ci.yml grants only `contents: read`), causing
+# `startup_failure` with: "workflow is requesting ... but is only allowed ...".
+# Match the caller-friendly pattern: declare only what we actually need.
+permissions:
+  contents: read
 
 jobs:
   lint-and-test: