diff --git a/.github/workflows/printer-linter-pr-diagnose.yml b/.github/workflows/printer-linter-pr-diagnose.yml
index 1be20c4548..67fbe7247f 100644
--- a/.github/workflows/printer-linter-pr-diagnose.yml
+++ b/.github/workflows/printer-linter-pr-diagnose.yml
@@ -5,6 +5,9 @@ on:
     path:
       - "resources/**"
 
+permissions:
+  contents: read
+
 jobs:
   printer-linter-diagnose:
     name: Printer linter PR diagnose
diff --git a/.github/workflows/printer-linter-pr-post.yml b/.github/workflows/printer-linter-pr-post.yml
index 8bb1aaf028..526fdcdbaa 100644
--- a/.github/workflows/printer-linter-pr-post.yml
+++ b/.github/workflows/printer-linter-pr-post.yml
@@ -5,6 +5,9 @@ on:
     workflows: ["printer-linter-pr-diagnose"]
     types: [completed]
 
+permissions:
+  issues: write
+
 jobs:
   clang-tidy-results:
     # Trigger the job only if the previous (insecure) workflow completed successfully