diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml
index b6e2aa7753c0e4ef753dc99014134b203a2bf76b..a6a17fa89f5c21247c593116db16c0dd193cf452 100644
--- a/.github/workflows/presubmit.yml
+++ b/.github/workflows/presubmit.yml
@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     uses: ./.github/workflows/build-and-test.yml
diff --git a/.github/workflows/trunk.yml b/.github/workflows/trunk.yml
index 7e5243ac2cdb1bc641970de61886c4ebbb42a056..714e94c7aa5772cb157aa43ad3c7e957a326abbd 100644
--- a/.github/workflows/trunk.yml
+++ b/.github/workflows/trunk.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     uses: ./.github/workflows/build-and-test.yml