diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e7a60b2..d4340af 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,6 +30,8 @@ env:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
@@ -48,6 +50,9 @@ jobs:
   lint:
     needs:
       - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - id: harden-runner
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index e83bd41..39e7379 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -13,6 +13,8 @@ permissions:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of