diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index 82dcef3f6a..7cc88ada13 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -19,6 +19,7 @@ jobs:
       record_pr_workflow_id: ${{ github.event.workflow_run.id }}
       workflow_origin: ${{ github.event.repository.full_name }}
     permissions:
+      contents: read
       pull-requests: read
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
index 717b9f5acf..32051a53c8 100644
--- a/.github/workflows/on_opened_pr.yml
+++ b/.github/workflows/on_opened_pr.yml
@@ -18,6 +18,8 @@ jobs:
       workflow_origin: ${{ github.event.repository.full_name }}
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
+    permissions: 
+      pull-requests: read
   check_related_issue:
     permissions:
       issues: read
@@ -39,4 +41,4 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const script = require('.github/scripts/label_missing_related_issue.js')
-            await script({github, context, core})
\ No newline at end of file
+            await script({github, context, core})