diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 32914f9e7a7..1ea51357daf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   binaries:
+    permissions:
+        contents: read
+        packages: write
     runs-on: ubuntu-22.04
 
     steps:
@@ -20,6 +23,9 @@ jobs:
         path: binaries
 
   github:
+    permissions:
+        contents: read
+        packages: write
     needs: binaries
     runs-on: ubuntu-22.04
 
@@ -59,6 +65,9 @@ jobs:
           }
 
   dockerhub:
+    permissions:
+        contents: read
+        packages: write
     needs: binaries
     runs-on: ubuntu-22.04
 
@@ -76,6 +85,9 @@ jobs:
         DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
 
   dockerhub_legacy:
+    permissions:
+        contents: read
+        packages: write
     needs: dockerhub
     runs-on: ubuntu-22.04
 
@@ -88,6 +100,9 @@ jobs:
         DOCKER_PASSWORD_LEGACY: ${{ secrets.DOCKER_PASSWORD_LEGACY }}
 
   apidocs:
+    permissions:
+        contents: read
+        packages: write
     needs: binaries
     runs-on: ubuntu-22.04