diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 278241b5dea535f9b7ec71c13db1dc9490d7ceae..9ca3688ac6a4a879aff6cec2ef795b880275add4 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,8 +10,14 @@ on:
     branches:
       - master
       - main
+permissions:
+  contents: read
+
 jobs:
   golangci:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: lint
     runs-on: ubuntu-latest
     steps:
@@ -50,4 +56,4 @@ jobs:
         env:
           GO111MODULE: "on"
           MONGODB_TEST_CXN: "localhost"
-        run: make generate; if [ -z "$FIX_TEST" ]; then make build; make; else make build_accept; make $FIX_TEST; fi
\ No newline at end of file
+        run: make generate; if [ -z "$FIX_TEST" ]; then make build; make; else make build_accept; make $FIX_TEST; fi