diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 96e1a1226..8ae3f3aae 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -7,6 +7,10 @@ concurrency:
 on:
   workflow_dispatch
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 7296f7f34..2834195ff 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -9,6 +9,10 @@ on:
     branches:
     - main
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 0024edfeb..7238ca7d8 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -9,6 +9,10 @@ on:
     branches:
     - add-tf-iac
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
 jobs:
   detect-changes:
     runs-on: ubuntu-latest