diff --git a/.github/workflows/docker-build-images.md b/.github/workflows/docker-build-images.md
index 1b77faa3..174d1f46 100644
--- a/.github/workflows/docker-build-images.md
+++ b/.github/workflows/docker-build-images.md
@@ -51,7 +51,12 @@ permissions: {}
 jobs:
   docker-build-images:
     uses: hoverkraft-tech/ci-github-container/.github/workflows/docker-build-images.yml@2b647ed6f11d50cb6beb6d56333e68ba2c804826 # 0.33.1
-    permissions: {}
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets:
       # Password or GitHub token (`packages:read` and `packages:write` scopes) configuration used to log against OCI registries.
       # Accepts either a single password/token string (default format) or a JSON object using the same keys as `oci-registry`.