diff --git a/.github/workflows/calibreapp-image-actions.yml b/.github/workflows/calibreapp-image-actions.yml
index 21df1f626502..97081deb6e8e 100644
--- a/.github/workflows/calibreapp-image-actions.yml
+++ b/.github/workflows/calibreapp-image-actions.yml
@@ -8,12 +8,18 @@ on:
       - '**.png'
       - '**.webp'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     # Only run on Pull Requests within the same repository, and not from forks.
     if: github.event.pull_request.head.repo.full_name == github.repository
     name: calibreapp/image-actions
     runs-on: ubuntu-latest
+    permissions:
+      # allow calibreapp/image-actions to update PRs
+      pull-requests: write
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v3