diff --git a/.github/workflows/build_pr_preview.yml b/.github/workflows/build_pr_preview.yml
index 301a53a62d..4315a0f2a1 100644
--- a/.github/workflows/build_pr_preview.yml
+++ b/.github/workflows/build_pr_preview.yml
@@ -8,8 +8,7 @@ on:
     # Run when label is added or present and when pushing to the PR
     types: [labeled, opened, synchronize]
 
-permissions:
-  contents: write
+permissions: read-all
 
 jobs:
   build_preview:
diff --git a/.github/workflows/delete_pr_preview.yml b/.github/workflows/delete_pr_preview.yml
index 17c16b4fab..0b145095b9 100644
--- a/.github/workflows/delete_pr_preview.yml
+++ b/.github/workflows/delete_pr_preview.yml
@@ -16,7 +16,9 @@ jobs:
       ((github.event.action == 'unlabeled' && github.event.label.name == 'safe
       for preview') || (github.event.action == 'closed' &&
       contains(github.event.pull_request.labels.*.name, 'safe for preview')))
-    name: Build with Hugo
+    name: Delete PR preview when a PR is closed or label removed
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4