diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1f7a1ab..2393f32 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - 'main'
 
+permissions:
+  contents: read
+
 jobs:
   unit_tests:
     name: "Unit tests"
@@ -34,6 +37,8 @@ jobs:
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     needs: unit_tests
+    permissions:
+      pull-requests: write # write permission needed to comment on PR
     steps:
       - uses: fgrosse/go-coverage-report@v1.0.0
         with: