diff --git a/.github/workflows/ci-bwa.yml b/.github/workflows/ci-bwa.yml
index d82cccff2d..60a3fcbbf4 100644
--- a/.github/workflows/ci-bwa.yml
+++ b/.github/workflows/ci-bwa.yml
@@ -64,6 +64,7 @@ jobs:
     name: Build Manual - ${{ inputs.build-mode }}
     needs: version
     permissions:
+      contents: read
       id-token: write
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.build-mode != 'CI' }}
     uses: bitwarden/ios/.github/workflows/_build-any.yml@main
@@ -81,6 +82,7 @@ jobs:
     name: Build CI
     needs: version
     permissions:
+      contents: read
       id-token: write
     if: ${{ github.event_name == 'push' || inputs.build-mode == 'CI' }}
     uses: bitwarden/ios/.github/workflows/_build-any.yml@main
diff --git a/.github/workflows/ci-bwpm.yml b/.github/workflows/ci-bwpm.yml
index 29724223a1..9d2ecbd4c6 100644
--- a/.github/workflows/ci-bwpm.yml
+++ b/.github/workflows/ci-bwpm.yml
@@ -67,6 +67,7 @@ jobs:
     name: Build Manual - ${{ inputs.build-variant }} (${{ inputs.build-mode }})
     needs: version
     permissions:
+      contents: read
       id-token: write
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.build-mode != 'CI' }}
     uses: bitwarden/ios/.github/workflows/_build-any.yml@main
@@ -84,6 +85,7 @@ jobs:
     name: Build CI
     needs: version
     permissions:
+      contents: read
       id-token: write
     if: ${{ github.event_name == 'push' || inputs.build-mode == 'CI' }}
     uses: bitwarden/ios/.github/workflows/_build-any.yml@main