diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 1dd4e650f..e348deee4 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,6 +1,10 @@
 name: All builds
 on: [push, pull_request]
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 08adf73d1..09e4f3126 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,9 @@
 name: Create release from new tag
 
+# setting default permissions to "none"
+# because permissions are set at the job level
+permissions: {}
+
 # this flow will be run only when new tags are pushed that match our pattern
 on:
   push: