diff --git a/.github/workflows/changeset-reporter.yml b/.github/workflows/changeset-reporter.yml
index 7511d4f0dc08..b7ceb5aeeac7 100644
--- a/.github/workflows/changeset-reporter.yml
+++ b/.github/workflows/changeset-reporter.yml
@@ -14,6 +14,9 @@ on:
 jobs:
   load_report:
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
         with:
diff --git a/.github/workflows/pr-check-changeset.yml b/.github/workflows/pr-check-changeset.yml
index ff714e2f019d..c00d2ce4c2dd 100644
--- a/.github/workflows/pr-check-changeset.yml
+++ b/.github/workflows/pr-check-changeset.yml
@@ -11,6 +11,9 @@ on:
   pull_request:
     types: [labeled, unlabeled, opened, synchronize, reopened]
 
+permissions:
+  pull-requests: read
+
 jobs:
   # When a PR has the changeset-required label, check if it has a changeset.
   changeset-required: