diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 387d74d..da7cdb6 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,5 +13,6 @@ jobs:
     name: Analysis
     uses: ./.github/workflows/reusable_codeql.yml
     permissions:
+      contents: read
       security-events: write
 
diff --git a/.github/workflows/reusable_codeql.yml b/.github/workflows/reusable_codeql.yml
index 7696960..6dd0da9 100644
--- a/.github/workflows/reusable_codeql.yml
+++ b/.github/workflows/reusable_codeql.yml
@@ -19,6 +19,7 @@ jobs:
     name: Analyze (${{inputs.languages}})
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       # required for all workflows
       security-events: write
     steps: