diff --git a/.github/workflows/build_and_publish.yaml b/.github/workflows/build_and_publish.yaml
index 00ffc02..aeb8418 100644
--- a/.github/workflows/build_and_publish.yaml
+++ b/.github/workflows/build_and_publish.yaml
@@ -11,6 +11,9 @@ env:
   BASE_IMAGE_NAME: base-docker
   ACTION_IMAGE_NAME: base-action
   UBUNTU_PRO_TOKEN: ${{ secrets.UBUNTU_PRO_TOKEN }}
+permissions:
+  packages: write
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index f261f27..c957ea0 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -4,6 +4,8 @@ on:
 env:
   IMAGE_NAME: base-docker
   UBUNTU_PRO_TOKEN: ${{ secrets.UBUNTU_PRO_TOKEN }}
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-ubuntu-sha.yaml b/.github/workflows/update-ubuntu-sha.yaml
index 0f41a2b..1e96822 100644
--- a/.github/workflows/update-ubuntu-sha.yaml
+++ b/.github/workflows/update-ubuntu-sha.yaml
@@ -10,6 +10,8 @@ on:
 env:
   BASE_IMAGE_NAME: base-docker
   ACTION_IMAGE_NAME: base-action
+permissions:
+  contents: write
 jobs:
   update:
     runs-on: ubuntu-latest