diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 62865fd3..a8e2b749 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -4,7 +4,6 @@ on: [push]
 
 permissions:
   contents: write          # This is required for actions/checkout@v1
-  security-events: write   # To upload sarif files
 
 jobs:
   build:
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 612458d3..ccb34bf7 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -6,6 +6,11 @@ on:
   schedule:
     - cron: '20 14 * * 1'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write   # To upload sarif files
+
 jobs:
   analyze:
     name: Analyze