diff --git a/.github/workflows/hypatia-scan-reusable.yml b/.github/workflows/hypatia-scan-reusable.yml
index 986d5f9c..710fd97b 100644
--- a/.github/workflows/hypatia-scan-reusable.yml
+++ b/.github/workflows/hypatia-scan-reusable.yml
@@ -81,6 +81,17 @@ permissions:
   # "Resource not accessible by integration" and (absent continue-on-error)
   # hard-fails the scan — exactly what the gate-decoupling design forbids.
   pull-requests: write
+  # actions: read lets `codeql-action/upload-sarif` call
+  # GET /repos/{owner}/{repo}/actions/runs/{run_id} to attach the SARIF
+  # blob to the workflow run. Without it the upload step fails with
+  # "Resource not accessible by integration" AFTER the scan + SARIF
+  # conversion both succeed — symptoms observed across .git-private-farm
+  # and other estate consumers since the SARIF upload was wired in.
+  # Reusable workflow permission blocks OVERRIDE the caller's permission
+  # block, so this MUST live here at source rather than at every
+  # wrapper — adding it only at the wrapper is a no-op.
+  # See .git-private-farm#69 for the reproducing logs.
+  actions: read
 
 jobs:
   scan:
diff --git a/.github/workflows/secret-scanner-reusable.yml b/.github/workflows/secret-scanner-reusable.yml
index 03c98a1a..3ef57023 100644
--- a/.github/workflows/secret-scanner-reusable.yml
+++ b/.github/workflows/secret-scanner-reusable.yml
@@ -77,6 +77,21 @@ jobs:
 
   gitleaks:
     runs-on: ${{ inputs.runs-on }}
+    # Job-level permissions (narrower than granting these workflow-wide).
+    # The other jobs (trufflehog / rust-secrets / shell-secrets) only need
+    # `contents: read`, which they get from the workflow-level block.
+    permissions:
+      contents: read
+      # gitleaks-action's `ScanPullRequest` posts a summary comment via
+      # the GitHub Issues/PR API. Without `pull-requests: write` it fails
+      # with "Resource not accessible by integration" AFTER the gitleaks
+      # scan itself succeeds. Reusable-workflow permission blocks
+      # OVERRIDE the caller's, so this MUST live here at source.
+      # See .git-private-farm#69 for the reproducing logs.
+      pull-requests: write
+      # Additional API calls inside `ScanPullRequest` (workflow-run
+      # metadata, PR-files endpoint) require `actions: read`.
+      actions: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: