diff --git a/.github/workflows/prerelease-check.yml b/.github/workflows/prerelease-check.yml
index c5bca9da68..489d43d612 100644
--- a/.github/workflows/prerelease-check.yml
+++ b/.github/workflows/prerelease-check.yml
@@ -21,6 +21,7 @@ jobs:
     permissions:
       contents: read # to fetch code (actions/checkout)
       security-events: write # for uploading SARIF files
+      actions: read
     uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@main
     with:
       # Only scan the top level go.mod file without recursively scanning directories since