diff --git a/.github/workflows/helm_chart_release.yaml b/.github/workflows/helm_chart_release.yaml
index 818662cf1e..9168f0fb30 100644
--- a/.github/workflows/helm_chart_release.yaml
+++ b/.github/workflows/helm_chart_release.yaml
@@ -8,8 +8,13 @@ on:
     paths:
       - "charts/**"
 
+permissions:
+  contents: read
+
 jobs:
   release:
+    permissions:
+      contents: write  # for helm/chart-releaser-action to push chart release and create a release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -25,4 +30,4 @@ jobs:
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         with:
-          config: .github/cr.yaml
+          config: .github/cr.yaml
\ No newline at end of file
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index cc9ad27270..ac717d4edc 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -8,6 +8,9 @@ on:
     paths:
       - version.txt
 
+permissions:
+  contents: read
+
 jobs:
   tag:
     if: ${{ github.repository == 'kubernetes/cloud-provider-aws' }}