diff --git a/.github/workflows/label-actions.yml b/.github/workflows/label-actions.yml
index cd2e76c648fb725c9da95f9e29e9edaee9bd9105..8fb6982907c93709c5a64aecae36f68dbf93e922 100644
--- a/.github/workflows/label-actions.yml
+++ b/.github/workflows/label-actions.yml
@@ -4,6 +4,10 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   reaction:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index a3c7468439008cc82dfaf43db2cd55f46894572e..9a5130094fe582a350384d93c482f8d532b0a957 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -8,6 +8,10 @@ on:
   # allow manual trigger
   workflow_dispatch:
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   lock:
     runs-on: ubuntu-latest