diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 3ccfed00..c9a11e37 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -10,6 +10,9 @@ jobs:
     uses: ./.github/workflows/deploy-job.yml
     with:
       environment: dev
+    permissions:
+      id-token: write
+      contents: read
     secrets:
       gcp_provider_name: ${{ secrets.GCP_PROVIDER_NAME }}
       gcp_sa_email: ${{ secrets.GCP_SA_EMAIL }}
diff --git a/.github/workflows/production-deploy.yml b/.github/workflows/production-deploy.yml
index f885a83a..55ff863c 100644
--- a/.github/workflows/production-deploy.yml
+++ b/.github/workflows/production-deploy.yml
@@ -10,6 +10,9 @@ jobs:
     uses: ./.github/workflows/deploy-job.yml
     with:
       environment: production
+    permissions:
+      id-token: write
+      contents: read
     secrets:
       gcp_provider_name: ${{ secrets.GCP_PROVIDER_NAME }}
       gcp_sa_email: ${{ secrets.GCP_SA_EMAIL }}