diff --git a/.github/workflows/ci-full-check.yml b/.github/workflows/ci-full-check.yml
index 6250d2a..6f130f5 100644
--- a/.github/workflows/ci-full-check.yml
+++ b/.github/workflows/ci-full-check.yml
@@ -31,6 +31,8 @@ jobs:
 
   dependency-graph:
     uses: ./.github/workflows/integ-test-dependency-graph.yml
+    permissions:
+      contents: write
     with:
       cache-key-prefix: ${{github.run_number}}-
 
diff --git a/.github/workflows/ci-quick-check.yml b/.github/workflows/ci-quick-check.yml
index 87eeaf2..d884b17 100644
--- a/.github/workflows/ci-quick-check.yml
+++ b/.github/workflows/ci-quick-check.yml
@@ -53,6 +53,8 @@ jobs:
   dependency-graph:
     needs: build-distribution
     uses: ./.github/workflows/integ-test-dependency-graph.yml
+    permissions:
+      contents: write
     with:
       runner-os: '["ubuntu-latest"]'
       download-dist: true
diff --git a/.github/workflows/demo-pr-build-scan-comment.yml b/.github/workflows/demo-pr-build-scan-comment.yml
index 079cb73..2e31ba6 100644
--- a/.github/workflows/demo-pr-build-scan-comment.yml
+++ b/.github/workflows/demo-pr-build-scan-comment.yml
@@ -2,6 +2,10 @@ name: Demo adding Build Scan® comment to PR
 on:
   pull_request:
     types: [assigned, review_requested]
+
+permissions:
+  pull-requests: write
+
 jobs:
   successful-build-with-always-comment:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/integ-test-dependency-graph.yml b/.github/workflows/integ-test-dependency-graph.yml
index b05fb22..bd16441 100644
--- a/.github/workflows/integ-test-dependency-graph.yml
+++ b/.github/workflows/integ-test-dependency-graph.yml
@@ -12,6 +12,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: write
+
 env:
   DOWNLOAD_DIST: ${{ inputs.download-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}