diff --git a/.github/workflows/command-rebase.yml b/.github/workflows/command-rebase.yml
index 4e41c31d..78fcf5d1 100644
--- a/.github/workflows/command-rebase.yml
+++ b/.github/workflows/command-rebase.yml
@@ -9,9 +9,14 @@ on:
   issue_comment:
     types: created
 
+permissions:	
+  contents: read	
+
 jobs:
   rebase:
     runs-on: ubuntu-latest
+    permissions:
+      contents: none
 
     # On pull requests and if the comment starts with `/rebase`
     if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase')
@@ -32,7 +37,7 @@ jobs:
           token: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.5
+        uses: cirrus-actions/rebase@1.7
         env:
           GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}