diff --git a/.github/workflows/conflicting-pr-label.yml b/.github/workflows/conflicting-pr-label.yml
index 1e1f7698d0d..4252b6b625f 100644
--- a/.github/workflows/conflicting-pr-label.yml
+++ b/.github/workflows/conflicting-pr-label.yml
@@ -11,6 +11,10 @@ on:
     types: [synchronize]
     branches: [main]
 
+permissions:
+  pull-requests: write
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 41c6960481d..f0554fe16e3 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -2,10 +2,12 @@ name: Publish package to PyPI and create release
 
 on:
   push:
-    branches: [main]
     tags:
       - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: write
+
 jobs:
   build:
     uses: ./.github/workflows/build.yml