diff --git a/.github/workflows/repl-artefacts.yml b/.github/workflows/repl-artefacts.yml
index 564f1b93f9d..38a5d87d608 100644
--- a/.github/workflows/repl-artefacts.yml
+++ b/.github/workflows/repl-artefacts.yml
@@ -4,8 +4,11 @@ on:
   pull_request_target:
     types: [synchronize, opened, reopened, labeled]
 
+permissions: read-all
+
 jobs:
   upload:
+    permissions: write-all # for peter-evans/find-comment and peter-evans/create-or-update-comment
     if: ${{ github.event.pull_request.head.repo.full_name == 'rollup/rollup' || contains( toJson(github.event.pull_request.labels), 'x⁸ ⚙️ build repl artefacts' ) }}
     runs-on: ubuntu-latest
     name: Upload