diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 40ce76fe4b..186e8d70a9 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -496,6 +496,9 @@ jobs:
   olm-bundle:
     name: Create OLM bundle and catalog
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
     needs:
       - buildx
     if: |
@@ -544,6 +547,9 @@ jobs:
   olm-scorecard:
     name: Running OLM scorecard test
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: read
     needs:
       - buildx
       - olm-bundle
@@ -592,6 +598,9 @@ jobs:
         test: [ kiwi, lemon, orange ]
     name: Running OLM ${{ matrix.test }} test
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: read
     needs:
       - buildx
       - olm-scorecard
@@ -609,6 +618,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: k8s-operatorhub/community-operators
+          persist-credentials: false
 
       - name: Login to ghcr.io
         uses: docker/login-action@v3