diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml
index a78c2c6110..192f657c04 100644
--- a/.github/workflows/check-actions.yaml
+++ b/.github/workflows/check-actions.yaml
@@ -9,9 +9,13 @@ on:
       - 'main'
       - 'release*'
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3