diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
index 9fb4a161..c7b8516f 100644
--- a/.github/workflows/master.yaml
+++ b/.github/workflows/master.yaml
@@ -56,6 +56,9 @@ jobs:
 
   publish-dev-packages:
     needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
+    permissions:
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: '-dev'
@@ -84,6 +87,10 @@ jobs:
     
   publish-dev-docker:
     needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_docker.yaml
     with:
       tag: master
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 65204e51..388eedef 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -96,6 +96,9 @@ jobs:
 
   publish-packages:
     needs: [release-settings, test-packages, test-packages-arm64]
+    permissions:
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
@@ -125,6 +128,10 @@ jobs:
 
   publish-docker:
     needs: [release-settings, build-docker, build-docker-arm64]
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_docker.yaml
     secrets: inherit
     with: