diff --git a/.gitea/workflows/sop-checklist.yml b/.gitea/workflows/sop-checklist.yml
index 85ebf50a1..b8ca6029d 100644
--- a/.gitea/workflows/sop-checklist.yml
+++ b/.gitea/workflows/sop-checklist.yml
@@ -84,6 +84,7 @@ on:
 permissions:
   contents: read
   pull-requests: read
+  secrets: read
   # NOTE: `statuses: write` is the GitHub-Actions name for POST /statuses.
   # Gitea 1.22.6 may not gate on this permission key (it just checks the
   # token), but listing it explicitly documents intent for the next
diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml
index 1f9eb8889..c606aa4b3 100644
--- a/.gitea/workflows/sop-tier-check.yml
+++ b/.gitea/workflows/sop-tier-check.yml
@@ -71,6 +71,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: read
+      secrets: read
     steps:
       - name: Check out base branch (for the script)
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2