diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index d8535a599a..82dcef3f6a 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -18,6 +18,8 @@ jobs:
     with:
       record_pr_workflow_id: ${{ github.event.workflow_run.id }}
       workflow_origin: ${{ github.event.repository.full_name }}
+    permissions:
+      pull-requests: read
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   label_pr:
@@ -40,4 +42,4 @@ jobs:
           # and label PR based on semantic title accordingly
           script: |
             const script = require('.github/scripts/label_pr_based_on_title.js')
-            await script({github, context, core})
\ No newline at end of file
+            await script({github, context, core})
diff --git a/.github/workflows/on-merge-to-main.yml b/.github/workflows/on-merge-to-main.yml
index e32eddef02..0b25dacfdd 100644
--- a/.github/workflows/on-merge-to-main.yml
+++ b/.github/workflows/on-merge-to-main.yml
@@ -16,6 +16,7 @@ jobs:
   get_pr_details:
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     permissions:
+      contents: read
       pull-requests: read
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with: