diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index 2e368d096..2890e0462 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -1,5 +1,5 @@
 # This file is synced from the `.github` repository, do not modify it directly.
-name: Workflow Syntax
+name: Actionlint
 
 on:
   push:
@@ -31,6 +31,8 @@ jobs:
   workflow_syntax:
     if: github.repository_owner == 'Homebrew'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Set up Homebrew
         id: setup-homebrew
@@ -63,7 +65,11 @@ jobs:
   upload_sarif:
     needs: workflow_syntax
     # We want to always upload this even if `actionlint` failed.
-    if: always() && !contains(fromJSON('[["cancelled", "skipped"]]'), needs.workflow_syntax.result)
+    # This is only available on public repositories.
+    if: >
+      always() &&
+      !contains(fromJSON('[["cancelled", "skipped"]]'), needs.workflow_syntax.result) &&
+      !github.event.repository.private
     runs-on: ubuntu-latest
     permissions:
       contents: read