diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 51b5f59..3f94ed4 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -8,7 +8,9 @@ on:
   pull_request:
     branches:
       - 'main'
-    
+permissions:
+  contents: read    
+
 jobs:
   ci:
     strategy:
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index 5a3aa3f..f310fc6 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -15,8 +15,6 @@ permissions:
 
 jobs:
   pre_snyk:
-    permissions:
-      contents: read # for actions/checkout to fetch code
     runs-on: ubuntu-latest
     outputs:
       any_changed: ${{ steps.changed-files.outputs.any_changed }}
@@ -36,7 +34,6 @@ jobs:
     needs: pre_snyk
     if: ${{ needs.pre_snyk.outputs.any_changed == 'true' }}
     permissions:
-      contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest