diff --git a/.github/workflows/pr-title-checks.yaml b/.github/workflows/pr-title-checks.yaml
index e34a7d7..91e241b 100644
--- a/.github/workflows/pr-title-checks.yaml
+++ b/.github/workflows/pr-title-checks.yaml
@@ -2,13 +2,14 @@ name: "pr-title-checks"
 
 on:
   pull_request_target:
-    # NOTE: The `pull_request_target` event means GITHUB_TOKEN can access secrets and is granted
-    # read/write repository access by default. So we need to ensure:
+    # NOTE: Workflows triggered by this event give the workflow access to secrets and grant the
+    # `GITHUB_TOKEN` read/write repository access by default. So we need to ensure:
     # - This workflow doesn't inadvertently check out, build, or execute untrusted code from the
     #   pull request triggered by this event.
     # - Each job has `permissions` set to only those necessary.
     types: ["edited", "opened", "reopened"]
     branches: ["main"]
+permissions: {}
 
 concurrency:
   group: "${{github.workflow}}-${{github.ref}}"