diff --git a/.github/workflows/build_aarch64.yml b/.github/workflows/build_aarch64.yml
index 0121a7ea..55db8b74 100644
--- a/.github/workflows/build_aarch64.yml
+++ b/.github/workflows/build_aarch64.yml
@@ -27,6 +27,10 @@ jobs:
     uses: ./.github/workflows/build.yml
     with:
       arch: 'aarch64'
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
     secrets:
       RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
       R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
diff --git a/.github/workflows/build_aarch64_test.yml b/.github/workflows/build_aarch64_test.yml
index 5c275f69..62d7d1fa 100644
--- a/.github/workflows/build_aarch64_test.yml
+++ b/.github/workflows/build_aarch64_test.yml
@@ -28,6 +28,10 @@ jobs:
     with:
       arch: 'aarch64'
       test_build: true
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
     secrets:
       RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
       R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
diff --git a/.github/workflows/build_x86_64.yml b/.github/workflows/build_x86_64.yml
index 1e0e63c9..9bf580a0 100644
--- a/.github/workflows/build_x86_64.yml
+++ b/.github/workflows/build_x86_64.yml
@@ -27,6 +27,10 @@ jobs:
     uses: ./.github/workflows/build.yml
     with:
       arch: 'x86_64'
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
     secrets:
       RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
       R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
diff --git a/.github/workflows/build_x86_64_test.yml b/.github/workflows/build_x86_64_test.yml
index 6ef3e19c..5be84f6a 100644
--- a/.github/workflows/build_x86_64_test.yml
+++ b/.github/workflows/build_x86_64_test.yml
@@ -28,6 +28,10 @@ jobs:
     with:
       arch: 'x86_64'
       test_build: true
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
     secrets:
       RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
       R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}