diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 8de4d60..98c16ba 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -1,6 +1,9 @@
 name: Plugins - CD
 run-name: Deploy ${{ inputs.branch }} to ${{ inputs.environment }} by @${{ github.actor }}
-permissions: {}
+permissions:
+  attestations: write
+  contents: write
+  id-token: write
 
 on:
   workflow_dispatch:
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
index a432517..11c5339 100644
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -1,5 +1,7 @@
 name: Plugins - CI
-permissions: {}
+permissions:
+  contents: read
+  id-token: write
 
 on:
   push: