diff --git a/.github/workflows/command-rebase.yml b/.github/workflows/command-rebase.yml
index 29e1dd5a5..78fcf5d19 100644
--- a/.github/workflows/command-rebase.yml
+++ b/.github/workflows/command-rebase.yml
@@ -9,9 +9,14 @@ on:
   issue_comment:
     types: created
 
+permissions:	
+  contents: read	
+
 jobs:
   rebase:
     runs-on: ubuntu-latest
+    permissions:
+      contents: none
 
     # On pull requests and if the comment starts with `/rebase`
     if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase')