diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
index 04fc2842e..22374dc1c 100644
--- a/.github/workflows/ghcr.yml
+++ b/.github/workflows/ghcr.yml
@@ -28,8 +28,18 @@ jobs:
   container-registry:
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      actions: none
+      checks: none
       contents: read
+      deployments: none
+      issues: none
+      packages: write
+      pull-requests: none
+      repository-projects: none
+      security-events: write
+      statuses: none
+      # needed for `cosign attest`
+      id-token: write
 
     steps:
       - uses: actions/checkout@v5