diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index 9dbee1eede..adabb59404 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -1,5 +1,7 @@
 name: Linters
 on: [push, pull_request]
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   rubocop:
     name: runner / rubocop
diff --git a/.github/workflows/mapi.yml b/.github/workflows/mapi.yml
index d26d4fc9fa..bc4c43b6dc 100644
--- a/.github/workflows/mapi.yml
+++ b/.github/workflows/mapi.yml
@@ -1,7 +1,12 @@
 name: 'Mayhem for API'
 on: workflow_dispatch
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   test:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      security-events: write # to upload SARIF results (github/codeql-action/upload-sarif)
     if: ${{ github.repository_owner == 'openfoodfoundation' }}
     runs-on: ubuntu-latest
     strategy: