diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml
index e386029..43e20ea 100644
--- a/.github/workflows/auto-labeler.yml
+++ b/.github/workflows/auto-labeler.yml
@@ -9,7 +9,7 @@ permissions:
 jobs:
   main:
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
     uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
     with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a925e51..a8dd877 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,10 +21,10 @@ jobs:
   release_image:
     needs: release
     permissions:
-      contents: write
-      discussions: write
+      contents: read
       packages: write
-      pull-requests: read
+      id-token: write
+      attestations: write
     uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
     with:
       image-name: ${{ github.repository }}