diff --git a/.github/workflows/osv.yml b/.github/workflows/osv.yml
index d972828..4d28b81 100644
--- a/.github/workflows/osv.yml
+++ b/.github/workflows/osv.yml
@@ -44,10 +44,9 @@ on:
       - "nodecar/package-lock.json"
 
 permissions:
-  # Require writing security events to upload SARIF file to security tab
   security-events: write
-  # Read commit contents
   contents: read
+  actions: read
 
 jobs:
   scan-scheduled:
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 67ce2cb..f611a8f 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -7,10 +7,9 @@ on:
     branches: ["main"]
 
 permissions:
-  # Required for OSV scanner to upload SARIF file to security tab
   security-events: write
-  # Read commit contents
   contents: read
+  actions: read
 
 jobs:
   lint-js: