diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 13d77d1..9eb6647 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,5 +21,6 @@ jobs:
     with:
       bump: ${{ inputs.bump }}
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write          # release upload
+      id-token: write          # OIDC for sigstore (required by the attest job)
+      attestations: write      # GitHub native attestation API (required by the attest job)