diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml
index 26514b160..9dc91425e 100644
--- a/.github/workflows/datadog-static-analysis.yml
+++ b/.github/workflows/datadog-static-analysis.yml
@@ -4,7 +4,7 @@ on:
   push:
 
 permissions:
-  contents: write
+  contents: write # write permission is needed to get access to the DD_API_KEY secrete - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#accessing-your-secrets
 
 jobs:
   static-analysis:
diff --git a/.github/workflows/system-test.yml b/.github/workflows/system-test.yml
index ae8b80b7d..8087a73f5 100644
--- a/.github/workflows/system-test.yml
+++ b/.github/workflows/system-test.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   system-test:
     runs-on: