diff --git a/.github/workflows/github-action-validator.yml b/.github/workflows/github-action-validator.yml
index 712911f8c6a..32718ba6936 100644
--- a/.github/workflows/github-action-validator.yml
+++ b/.github/workflows/github-action-validator.yml
@@ -16,6 +16,11 @@ jobs:
 
   validate-all-ghas:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      # Required for the zizmor action to upload its SARIF results to
+      # GitHub code scanning (advanced-security is enabled by default).
+      security-events: write
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2