diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 49b66ee8..2610846e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [master]
   pull_request: {}
+  
+permissions:
+  contents: read
 
 jobs:
   mypy:
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index aa693c3f..8438ac45 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -4,13 +4,14 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
-permissions:
-  issues: "write"
+permissions: {}
 
 jobs:
   lock:
     if: github.repository_owner == 'certifi'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - uses: dessant/lock-threads@v3
         with: