diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0f7b59424..0b32bc20e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -31,6 +31,8 @@ jobs:
 
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
 
     steps:
     - uses: actions/checkout@v6
diff --git a/.github/workflows/debug-artifacts-failure-safe.yml b/.github/workflows/debug-artifacts-failure-safe.yml
index 4d0433535..6c456ea88 100644
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -41,6 +41,8 @@ jobs:
       CODEQL_ACTION_TEST_MODE: true
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
     timeout-minutes: 45
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/debug-artifacts-safe.yml b/.github/workflows/debug-artifacts-safe.yml
index 7886d44c7..7c1d8da64 100644
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -40,6 +40,8 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml
index 79602d056..880ecd578 100644
--- a/.github/workflows/python312-windows.yml
+++ b/.github/workflows/python312-windows.yml
@@ -26,6 +26,8 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
     runs-on: windows-latest
 
     steps: