diff --git a/.github/workflows/clean-cache.yml b/.github/workflows/clean-cache.yml
index 92db39a..c84eaf1 100644
--- a/.github/workflows/clean-cache.yml
+++ b/.github/workflows/clean-cache.yml
@@ -5,6 +5,10 @@ on:
     types:
       - closed
 
+permissions:
+  actions: write
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 55f0e92..6f4d784 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,12 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+"
       - "**/v[0-9]+.[0-9]+.[0-9]+"
 
+permissions:
+  contents: read  # Needed for all jobs to checkout the repository
+  packages: write # For the build job to push to GHCR
+  attestations: write # For managing attestations in the build job
+  id-token: write # For OIDC token usage in the build and potentially in the renew-docs job
+
 jobs:
   lint:
     name: Lint