diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 619edee0b..df1fe987c 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -9,6 +9,8 @@ on:
   schedule:
     - cron: '0 2 * * 1' # At 02:00 on Monday
 
+permissions: {}
+
 jobs:
   test:
     name: Test
@@ -102,6 +104,11 @@ jobs:
   codeql:
     name: CodeQL
     runs-on: ubuntu-latest
+
+    permissions:
+      # See: https://github.com/github/codeql-action/blob/008b2cc71c4cf3401f45919d8eede44a65b4a322/README.md#usage
+      security-events: write
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2