diff --git a/pkg/workflow/compiler_safe_outputs_job_test.go b/pkg/workflow/compiler_safe_outputs_job_test.go
index 66f42ab9fc4..7b96da8b4bf 100644
--- a/pkg/workflow/compiler_safe_outputs_job_test.go
+++ b/pkg/workflow/compiler_safe_outputs_job_test.go
@@ -1201,6 +1201,8 @@ func TestCreateCodeScanningAlertUploadJob(t *testing.T) {
 					"Upload job must only run when sarif_file is non-empty")
 				assert.Contains(t, uploadJob.If, string(constants.SafeOutputsJobName),
 					"Upload job if-condition must reference safe_outputs outputs")
+				assert.Contains(t, uploadJob.Permissions, "actions: read",
+					"Upload job permissions must include actions: read for private-repo SARIF uploads")
 
 				uploadSteps := strings.Join(uploadJob.Steps, "")
 
diff --git a/pkg/workflow/create_code_scanning_alert.go b/pkg/workflow/create_code_scanning_alert.go
index d5340a0942f..44b4fbff0f0 100644
--- a/pkg/workflow/create_code_scanning_alert.go
+++ b/pkg/workflow/create_code_scanning_alert.go
@@ -158,8 +158,9 @@ func (c *Compiler) buildCodeScanningUploadJob(data *WorkflowData) (*Job, error)
 	// The job only runs when the safe_outputs job exported a non-empty SARIF file path.
 	jobCondition := fmt.Sprintf("needs.%s.outputs.sarif_file != ''", constants.SafeOutputsJobName)
 
-	// Permissions: contents:read to checkout, security-events:write to upload SARIF
-	permissions := NewPermissionsContentsReadSecurityEventsWrite()
+	// Permissions: contents:read to checkout, security-events:write to upload SARIF,
+	// actions:read for upload-sarif workflow run lookup in private repos
+	permissions := NewPermissionsContentsReadSecurityEventsWriteActionsRead()
 
 	job := &Job{
 		Name:           string(constants.UploadCodeScanningJobName),