diff --git a/.github/workflows/ci-copr.yml b/.github/workflows/ci-copr.yml
index 7d9f06a7..958cfb0e 100644
--- a/.github/workflows/ci-copr.yml
+++ b/.github/workflows/ci-copr.yml
@@ -46,6 +46,8 @@ jobs:
       startsWith(github.repository, 'LizardByte/')
     needs:
       - call-copr-ci
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Download build artifacts
@@ -68,5 +70,5 @@ jobs:
           name: ${{ github.event.release.name }}
           prerelease: true
           tag: ${{ github.event.release.tag_name }}
-          token: ${{ secrets.GH_BOT_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}  # use built-in token to avoid repeating workflow triggers
           virustotal_api_key: ${{ secrets.VIRUSTOTAL_API_KEY }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e4271181..375eace4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -95,6 +95,8 @@ jobs:
     name: Linux Copr
     if: github.event_name != 'push'  # releases are handled directly in ci-copr.yml
     needs: release-setup
+    permissions:
+      contents: write  # needed to update releases
     uses: ./.github/workflows/ci-copr.yml
     secrets:
       COPR_BETA_WEBHOOK_TOKEN: ${{ secrets.COPR_BETA_WEBHOOK_TOKEN }}