diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml
index f9f6952..efaf690 100644
--- a/.github/workflows/test-release.yaml
+++ b/.github/workflows/test-release.yaml
@@ -20,10 +20,10 @@ jobs:
   release_image:
     needs: release
     permissions:
-      contents: write
-      discussions: write
+      contents: read
       packages: write
-      pull-requests: read
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/release-image.yaml
     with:
       image-name: github/ospo-reusable-workflows
diff --git a/docs/auto-labeler.md b/docs/auto-labeler.md
index 6b148ca..30dc6b1 100644
--- a/docs/auto-labeler.md
+++ b/docs/auto-labeler.md
@@ -4,6 +4,9 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yml@main
+  permissions:
+    contents: write
+    pull-requests: write
   with:
     # The name of the configuration file to use, default is release-drafter.yml
     # from the release-drafter/release-drafter GitHub Action
diff --git a/docs/labeler.md b/docs/labeler.md
index ffed2a6..d8f6894 100644
--- a/docs/labeler.md
+++ b/docs/labeler.md
@@ -4,6 +4,9 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/labeler.yml@main
+  permissions:
+    contents: read
+    pull-requests: write
   with:
     # The name of the configuration file to use, default is labeler.yml
     # from the actions/labeler GitHub Action
diff --git a/docs/pr-title.md b/docs/pr-title.md
index 2f9d4cc..219a7bb 100644
--- a/docs/pr-title.md
+++ b/docs/pr-title.md
@@ -4,6 +4,10 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yml@main
+  permissions:
+    contents: read
+    pull-requests: read
+    statuses: write
   with:
     # Configure which types are allowed (newline-delimited).
     # From: https://github.com/commitizen/conventional-commit-types/blob/master/index.json
diff --git a/docs/release-discussion.md b/docs/release-discussion.md
index b06db7a..124085e 100644
--- a/docs/release-discussion.md
+++ b/docs/release-discussion.md
@@ -4,6 +4,9 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/release.yml@main
+  permissions:
+    contents: read
+    discussions: write
   with:
     # Full tag of the image, usually the version (v1.0.0)
     full-tag: v1.0.0
diff --git a/docs/release-image.md b/docs/release-image.md
index bd47e12..72fc1e4 100644
--- a/docs/release-image.md
+++ b/docs/release-image.md
@@ -4,6 +4,11 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/release.yml@main
+  permissions:
+    contents: read
+    packages: write
+    id-token: write
+    attestations: write
   with:
     # Image name, usually owner/repository (github/ospo-reusable-workflows)
     image-name: ${{ github.repository }}
diff --git a/docs/release.md b/docs/release.md
index 3be15c9..d414a72 100644
--- a/docs/release.md
+++ b/docs/release.md
@@ -4,6 +4,9 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/release.yml@main
+  permissions:
+    contents: write
+    pull-requests: read
   with:
     # Boolean flag whether to publish the release, default is true
     publish: true