diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
index 3f6a2a1..f5abc37 100644
--- a/.github/workflows/dependabot-auto-merge.yaml
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -1,12 +1,14 @@
 name: Dependabot auto-merge
 on: pull_request
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 jobs:
   dependabot-auto-merge:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' && !github.event.pull_request.auto_merge }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Approve a PR
         run: gh pr review --approve "$PR_URL"