diff --git a/.github/workflows/build-using-buildscripts.yml b/.github/workflows/build-using-buildscripts.yml
index 3af8d8c0d..3de7ecd6d 100644
--- a/.github/workflows/build-using-buildscripts.yml
+++ b/.github/workflows/build-using-buildscripts.yml
@@ -4,8 +4,8 @@ on:
   workflow_call:
     inputs:
       additional_artifacts:
-        description: 'Additional files or directories to include in artifacts'
-        default: ''
+        description: "Additional files or directories to include in artifacts"
+        default: ""
         required: false
         type: string
 
@@ -19,6 +19,9 @@ on:
       GH_ACTIONS_SSH_KEY_BUILD_ARTIFACTS_CACHE:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build_cfengine_hub_package:
     name: Build package
@@ -122,7 +125,6 @@ jobs:
           restore-keys: |
             build-${{ env.PACKAGE_SHA }}
 
-
       - name: Build package in docker
         env:
           GH_ACTIONS_SSH_KEY_BUILD_ARTIFACTS_CACHE: ${{ secrets.GH_ACTIONS_SSH_KEY_BUILD_ARTIFACTS_CACHE }}
@@ -141,8 +143,8 @@ jobs:
         uses: actions/cache/save@v3
         with:
           path: |
-              artifacts
-              packages
+            artifacts
+            packages
           key: artifacts-${{ env.PACKAGE_SHA }}
 
       - name: Save artifacts
diff --git a/.github/workflows/deployment-tests.yml b/.github/workflows/deployment-tests.yml
index 859bb6547..7b187580d 100644
--- a/.github/workflows/deployment-tests.yml
+++ b/.github/workflows/deployment-tests.yml
@@ -12,6 +12,9 @@ on:
       GH_ACTIONS_SSH_KEY_BUILD_ARTIFACTS_CACHE:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   deployment_tests:
     name: Run simple deployment tests