diff --git a/.github/workflows/ci-lint-dependabot-config.yml b/.github/workflows/ci-lint-dependabot-config.yml
index c906e22849b..b2de166b4ac 100644
--- a/.github/workflows/ci-lint-dependabot-config.yml
+++ b/.github/workflows/ci-lint-dependabot-config.yml
@@ -5,6 +5,11 @@ on:
     paths:
       - '.github/dependabot.yml'
       - '.github/workflows/validate-dependabot-config.yml'
+
+# See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest