diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 082a28fc791..58653e4d88f 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '0 7 * * *'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   deploy_docs:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/push_pull.yml b/.github/workflows/push_pull.yml
index 1de0439032d..fec06489853 100644
--- a/.github/workflows/push_pull.yml
+++ b/.github/workflows/push_pull.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: '0 3 * * *'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   regular_check:
     runs-on: macos-latest
@@ -24,6 +27,10 @@ jobs:
           ubsan: false
 
   sanitizer_check:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      issues: write # to create an issue
+
     runs-on: macos-latest
     if: (github.event_name == 'schedule' && github.repository == 'espressomd/espresso')
     steps: