diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index acd26f1d7..3050dabec 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -14,7 +14,9 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
+      actions: read
       contents: read
+      security-events: write
 
     steps:
     - uses: actions/checkout@v2
@@ -63,6 +65,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     permissions:
+      actions: read
       contents: read
       security-events: write