diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 631d1088..cfcf98f3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -400,6 +400,19 @@ jobs:
         os: [ubuntu-22.04]
         java: [temurin@8]
     runs-on: ${{ matrix.os }}
+    permissions:
+      actions: none
+      checks: none
+      contents: write
+      deployments: none
+      id-token: none
+      issues: none
+      packages: read
+      pages: none
+      pull-requests: none
+      repository-projects: none
+      security-events: none
+      statuses: none
     steps:
       - name: Ignore line ending differences in git
         if: contains(runner.os, 'windows')
diff --git a/ci/src/main/scala/org/typelevel/sbt/TypelevelCiPlugin.scala b/ci/src/main/scala/org/typelevel/sbt/TypelevelCiPlugin.scala
index 877fa5f3..78dd2189 100644
--- a/ci/src/main/scala/org/typelevel/sbt/TypelevelCiPlugin.scala
+++ b/ci/src/main/scala/org/typelevel/sbt/TypelevelCiPlugin.scala
@@ -20,6 +20,8 @@ import org.typelevel.sbt.NoPublishGlobalPlugin.noPublishModulesIgnore
 import org.typelevel.sbt.gha.GenerativePlugin
 import org.typelevel.sbt.gha.GenerativePlugin.autoImport._
 import org.typelevel.sbt.gha.GitHubActionsPlugin
+import org.typelevel.sbt.gha.PermissionValue
+import org.typelevel.sbt.gha.Permissions
 import org.typelevel.sbt.gha.WorkflowStep
 import sbt._
 
@@ -156,6 +158,8 @@ object TypelevelCiPlugin extends AutoPlugin {
               scalas = Nil,
               sbtStepPreamble = Nil,
               javas = List(githubWorkflowJavaVersions.value.head),
+              permissions = Some(
+                Permissions.Specify.defaultRestrictive.withContents(PermissionValue.Write)),
               steps = githubWorkflowJobSetup.value.toList :+
                 WorkflowStep.DependencySubmission(
                   None,