diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fc6531ea5..1a317f267 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,8 @@ jobs:
     - run: nix --experimental-features 'nix-command flakes' flake check -L
 
   check_cachix:
+    permissions:
+      contents: none
     name: Cachix secret present for installer tests
     runs-on: ubuntu-latest
     outputs:
diff --git a/.github/workflows/hydra_status.yml b/.github/workflows/hydra_status.yml
index 53e69cb2d..d85999256 100644
--- a/.github/workflows/hydra_status.yml
+++ b/.github/workflows/hydra_status.yml
@@ -3,6 +3,9 @@ on:
   schedule:
     - cron: "12,42 * * * *"
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   check_hydra_status:
     name: Check Hydra status