diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e7d422b7b7..5f4f153bd2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -175,6 +175,9 @@ jobs:
     name: generate provenance for binaries
     needs: [goreleaser]
     if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: read
+      id-token: write
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # must use semver here
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
@@ -185,6 +188,7 @@ jobs:
     needs: [goreleaser]
     if: startsWith(github.ref, 'refs/tags/')
     permissions:
+      contents: read
       id-token: write # To use our GitHub token
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 # must use semver here
     with: