diff --git a/.github/workflows/test_docker_debian.yml b/.github/workflows/test_docker_debian.yml
index 1395137a0..c775ce860 100644
--- a/.github/workflows/test_docker_debian.yml
+++ b/.github/workflows/test_docker_debian.yml
@@ -41,6 +41,8 @@ jobs:
 
   # Build container and run tests
   run:
+    permissions:
+      actions: write
     name: ${{ matrix.debian_codename }}
     strategy:
       fail-fast: false
diff --git a/.github/workflows/test_docker_debian_codename_sub.yml b/.github/workflows/test_docker_debian_codename_sub.yml
index 638612c46..a6c2be1a9 100644
--- a/.github/workflows/test_docker_debian_codename_sub.yml
+++ b/.github/workflows/test_docker_debian_codename_sub.yml
@@ -170,6 +170,8 @@ jobs:
 
   # cleanup after test execution
   cleanup:
+    permissions:
+      actions: write
     # run only if tests didn't fail: keep the artifact to make job reruns possible
     if: ${{ !failure() }}
     needs: [build, test]
@@ -180,3 +182,5 @@ jobs:
           uses: geekyeggo/delete-artifact@v4
           with:
             name: ${{ needs.build.outputs.image_file_name }}
+            # on PRs no write permissions are granted, so this fails in this cases
+            failOnError: false