diff --git a/.github/workflows/on-merge-to-main.yml b/.github/workflows/on-merge-to-main.yml
index 4a7d7b9..127b00c 100644
--- a/.github/workflows/on-merge-to-main.yml
+++ b/.github/workflows/on-merge-to-main.yml
@@ -8,3 +8,7 @@ on:
 jobs:
   ci:
     uses: magmaworks/actions/.github/workflows/on-merge-to-main.yml@main
+    permissions:
+        contents: write
+        actions: write
+        attestations: write
diff --git a/.github/workflows/on-pull-request.yml b/.github/workflows/on-pull-request.yml
index 29cba14..0603f40 100644
--- a/.github/workflows/on-pull-request.yml
+++ b/.github/workflows/on-pull-request.yml
@@ -9,3 +9,5 @@ on:
 jobs:
   ci:
     uses: magmaworks/actions/.github/workflows/on-pull-request.yml@main
+    permissions:
+      checks: write
diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
index 6dc6020..3cbdc85 100644
--- a/.github/workflows/on-release.yml
+++ b/.github/workflows/on-release.yml
@@ -8,3 +8,7 @@ jobs:
   ci:
     uses: magmaworks/actions/.github/workflows/on-release.yml@main
     secrets: inherit
+    permissions:
+        contents: write
+        actions: write
+        attestations: write