diff --git a/.github/workflows/head-build.yml b/.github/workflows/head-build.yml
index 8973828..d599bff 100644
--- a/.github/workflows/head-build.yml
+++ b/.github/workflows/head-build.yml
@@ -39,6 +39,8 @@ jobs:
       # - Read vault secrets in rancher-eio/read-vault-secrets.
       # - Publish image to ghcr.io
       id-token: write
+      packages: write
+      attestations: write
 
     runs-on: ubuntu-latest
     needs:
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index f276176..0e84fe9 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -27,6 +27,8 @@ jobs:
       # - OIDC for cosign's use in ecm-distro-tools/publish-image.
       # - Read vault secrets in rancher-eio/read-vault-secrets.
       id-token: write
+      packages: write
+      attestations: write
 
     runs-on: ubuntu-latest