diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index d021fc0..065fed5 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -165,6 +165,7 @@ jobs:
     needs: setup
 
     permissions:
+      actions: read
       contents: read
       security-events: write
     steps:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 44b8a6f..b6d5f3c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- Add `actions: read` permission to the zizmor job to fix "resource not accessible by integration" errors in private repositories
+
 ## [2.1.0]
 
 ### Added