diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
index fc96bf0..ecfc5ad 100644
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -13,6 +13,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+      id-token: write # For ESC secrets.
     uses: ./.github/workflows/prerequisites.yml
     secrets: inherit
     with:
@@ -21,6 +22,9 @@ jobs:
       is_automated: ${{ github.actor == 'dependabot[bot]' }}
 
   build_provider:
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     uses: ./.github/workflows/build_provider.yml
     needs: prerequisites
     secrets: inherit
@@ -32,6 +36,9 @@ jobs:
     needs: prerequisites
     uses: ./.github/workflows/build_sdk.yml
     secrets: inherit
+    permissions:
+      contents: write # For Renovate SDKs.
+      id-token: write # For ESC secrets.
     with:
       version: ${{ needs.prerequisites.outputs.version }}
 
@@ -48,6 +55,7 @@ jobs:
     name: publish
     permissions:
       contents: write
+      pull-requests: write
       id-token: write
     needs:
       - prerequisites