diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml
index e96c3efbc8..c2c08140a4 100644
--- a/.github/workflows/dependency-graph.yml
+++ b/.github/workflows/dependency-graph.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - main # default branch of the project
+
+permissions: {}
+
 jobs:
   dependency-graph:
     name: Update Dependency Graph
@@ -10,3 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: scalacenter/sbt-dependency-submission@v2
+        permissions:
+          # The API requires write permission on the repository
+          # to submit dependencies
+          contents: write
diff --git a/.github/workflows/scala-steward.yml b/.github/workflows/scala-steward.yml
index 08a13210fe..64ee65f7a8 100644
--- a/.github/workflows/scala-steward.yml
+++ b/.github/workflows/scala-steward.yml
@@ -5,6 +5,10 @@ on:
 
 name: Launch Scala Steward
 
+# The GitHub Action doesn't need permissions: it only reads already-public
+# data and creates PRs through the scala-steward-asf bot:
+permissions: {}
+
 jobs:
   scala-steward:
     runs-on: ubuntu-22.04