diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index ec653098d..bc357156b 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   NODE_ACTIVE_LTS: "22" # see https://nodejs.org/en/about/releases/
   REPORTS_DIR: "CI_reports"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 52516ac43..d8fdfadb7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,7 +28,7 @@ on:
         default: false
         required: false
 
-permissions: write-all
+permissions: {}
 
 env:
   REPORTS_DIR: CI_reports
@@ -45,6 +45,8 @@ jobs:
       version_plain: ${{ steps.bump.outputs.version_plain }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write  # needed for git push
     steps:
       - name: Checkout code
         # see https://github.com/actions/checkout
@@ -85,6 +87,9 @@ jobs:
     name: publish package
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      id-token: write  # Enables provenance signing via OIDC
+      packages: write  # Allows writing to organization packages
     env:
       PACKAGE_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }}
     steps:
@@ -161,6 +166,8 @@ jobs:
     name: publish GitHub
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write  # create a release
     env:
       ASSETS_DIR: release_assets
     steps:
diff --git a/package.json b/package.json
index 1aa76ea6c..2e553824f 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cyclonedx-library",
-  "version": "8.0.1-alpha.0",
+  "version": "8.0.1-alpha.1",
   "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
   "license": "Apache-2.0",
   "keywords": [