diff --git a/.github/workflows/bump-gitstream-core.yml b/.github/workflows/bump-gitstream-core.yml
index 22bd09b8..b77346cb 100644
--- a/.github/workflows/bump-gitstream-core.yml
+++ b/.github/workflows/bump-gitstream-core.yml
@@ -25,6 +25,8 @@ on:
         description: GitHub username to assign as reviewer
         required: false
 
+permissions: {}
+
 jobs:
   publish_pr:
     name: Publish PR
diff --git a/.github/workflows/create-tag-on-merge.yml b/.github/workflows/create-tag-on-merge.yml
index 2c91e406..683efb8f 100644
--- a/.github/workflows/create-tag-on-merge.yml
+++ b/.github/workflows/create-tag-on-merge.yml
@@ -15,6 +15,10 @@ on:
 env:
   SLACK_WEBHOOK: ${{ secrets.SLACK_WORKFLOWS_DEPLOYMENT_WEBHOOK }}
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   create-tag:
     runs-on: ubuntu-24.04