diff --git a/.github/workflows/enforce-labels.yml b/.github/workflows/enforce-labels.yml
index 8352d79e4..3f506ee86 100644
--- a/.github/workflows/enforce-labels.yml
+++ b/.github/workflows/enforce-labels.yml
@@ -4,6 +4,11 @@ name: "Enforce PR labels"
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [labeled, unlabeled, opened, edited, synchronize]
+
+permissions:
+  contents: read # to read configuration file
+  pull-requests: write # to label PRs
+
 jobs:
   enforce-label:
     if: github.repository == 'dev-sec/ansible-collection-hardening'