diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml
index 6523d8838..ce458389a 100644
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -119,3 +119,6 @@ jobs:
       AZ_APPID: ${{ secrets.AZ_APPID }}
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+    permissions:
+      contents: read
+      id-token: write
diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml
index fb454cd79..4b916ec25 100644
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -20,6 +20,11 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
 
   kata-deploy:
     needs: build-kata-static-tarball-amd64
diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml
index eff43ee2e..c3a54f8da 100644
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -20,6 +20,11 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
 
   kata-deploy:
     needs: build-kata-static-tarball-arm64
diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml
index b80feef90..30a59c01b 100644
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@@ -20,6 +20,11 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
 
   kata-deploy:
     needs: build-kata-static-tarball-ppc64le
diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml
index 755da97c7..78d57cd31 100644
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -23,6 +23,11 @@ jobs:
     secrets:
       CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
 
 
   kata-deploy: