diff --git a/.github/workflows/build-linux-binaries.yml b/.github/workflows/build-linux-binaries.yml
index f4dcbd93bbf1..c59192883c0a 100644
--- a/.github/workflows/build-linux-binaries.yml
+++ b/.github/workflows/build-linux-binaries.yml
@@ -13,6 +13,9 @@ on:
 jobs:
   build-x86_64-binaries-tarball:
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
@@ -72,6 +75,9 @@ jobs:
 
   build-arm64-binaries-tarball:
     runs-on: custom-arm64-focal
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/build-macos-release.yml b/.github/workflows/build-macos-release.yml
index 8f1801b0c1f9..62856e8131da 100644
--- a/.github/workflows/build-macos-release.yml
+++ b/.github/workflows/build-macos-release.yml
@@ -19,6 +19,9 @@ jobs:
   build-mac:
     # The type of runner that the job will run on
     runs-on: macos-12
+    permissions:
+      id-token: write
+      contents: read
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
diff --git a/.github/workflows/build-public-ami.yml b/.github/workflows/build-public-ami.yml
index d97f7c32395e..bfb1629e425e 100644
--- a/.github/workflows/build-public-ami.yml
+++ b/.github/workflows/build-public-ami.yml
@@ -18,6 +18,9 @@ jobs:
   build-public-ami-and-upload:
     runs-on: ubuntu-22.04
     timeout-minutes: 45
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/build-ubuntu-amd64-release.yml b/.github/workflows/build-ubuntu-amd64-release.yml
index 6df99f50979a..6d6514584f01 100644
--- a/.github/workflows/build-ubuntu-amd64-release.yml
+++ b/.github/workflows/build-ubuntu-amd64-release.yml
@@ -13,6 +13,9 @@ on:
 jobs:
   build-jammy-amd64-package:
     runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
@@ -70,6 +73,9 @@ jobs:
 
   build-focal-amd64-package:
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/build-ubuntu-arm64-release.yml b/.github/workflows/build-ubuntu-arm64-release.yml
index f78151311fdc..0443487b55e4 100644
--- a/.github/workflows/build-ubuntu-arm64-release.yml
+++ b/.github/workflows/build-ubuntu-arm64-release.yml
@@ -13,6 +13,9 @@ on:
 jobs:
   build-jammy-arm64-package:
     runs-on: custom-arm64-jammy
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
@@ -70,6 +73,9 @@ jobs:
 
   build-focal-arm64-package:
     runs-on: custom-arm64-focal
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/build-win-release.yml b/.github/workflows/build-win-release.yml
index a1d6d1a510d4..d882fe4aadd9 100644
--- a/.github/workflows/build-win-release.yml
+++ b/.github/workflows/build-win-release.yml
@@ -19,6 +19,10 @@ jobs:
   build-win:
     # The type of runner that the job will run on
     runs-on: windows-2019
+    permissions:
+      id-token: write
+      contents: read
+
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it