diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dd45848af..b64886f9a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -986,6 +986,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
     environment: releasing
     if: ${{ needs.release.outputs.latest_commit == github.sha }}
     steps:
@@ -1018,6 +1019,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
     environment: releasing
     if: ${{ needs.release.outputs.latest_commit == github.sha }}
     steps:
diff --git a/projenrc/adc-publishing.ts b/projenrc/adc-publishing.ts
index 3b8de404a..d9914734f 100644
--- a/projenrc/adc-publishing.ts
+++ b/projenrc/adc-publishing.ts
@@ -35,6 +35,7 @@ export class AdcPublishing extends Component {
       runsOn: ['ubuntu-latest'],
       permissions: {
         contents: JobPermission.WRITE,
+        idToken: JobPermission.WRITE,
       },
       if: '${{ needs.release.outputs.latest_commit == github.sha }}',
       steps: [
diff --git a/projenrc/record-publishing-timestamp.ts b/projenrc/record-publishing-timestamp.ts
index 3c92c1033..6b10a7741 100644
--- a/projenrc/record-publishing-timestamp.ts
+++ b/projenrc/record-publishing-timestamp.ts
@@ -25,6 +25,7 @@ export class RecordPublishingTimestamp extends Component {
       runsOn: ['ubuntu-latest'],
       permissions: {
         contents: JobPermission.WRITE,
+        idToken: JobPermission.WRITE,
       },
       if: '${{ needs.release.outputs.latest_commit == github.sha }}',
       steps: [