diff --git a/.github/workflows/deploy-site.yml b/.github/workflows/deploy-site.yml
index 587fd3e412..b2b2190f59 100644
--- a/.github/workflows/deploy-site.yml
+++ b/.github/workflows/deploy-site.yml
@@ -6,11 +6,12 @@ on:
     branches:
       - master
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   upload-website:
     uses: publicsuffix/publicsuffix.org/.github/workflows/deploy-site.yaml@master
+    permissions:
+      contents: read
+      id-token: write
     secrets: inherit
diff --git a/.github/workflows/tld-update.yml b/.github/workflows/tld-update.yml
index 0e6fd80f59..d5e8621e68 100644
--- a/.github/workflows/tld-update.yml
+++ b/.github/workflows/tld-update.yml
@@ -4,10 +4,17 @@ on:
   schedule:
     # Run once a day at 15:00 UTC
     - cron:  '0 15 * * *'
+    
+permissions:
+  contents: read
+
 jobs:
   psl-gtld-update:
     name: Check for TLD data updates
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
 
       - name: Check out code