diff --git a/.github/workflows/aca-deploy.yaml b/.github/workflows/aca-deploy.yaml
index aace8e6..b0981c1 100644
--- a/.github/workflows/aca-deploy.yaml
+++ b/.github/workflows/aca-deploy.yaml
@@ -14,7 +14,12 @@ on:
         container-app-env-name:
           required: true
           type: string
-      
+
+# Set up permissions for deploying with secretless Azure federated credentials
+# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
     deploy:
diff --git a/.github/workflows/acr-build-push.yaml b/.github/workflows/acr-build-push.yaml
index 1a11be0..930cdd3 100644
--- a/.github/workflows/acr-build-push.yaml
+++ b/.github/workflows/acr-build-push.yaml
@@ -11,7 +11,12 @@ on:
         app-folder-path:
           required: true
           type: string
-      
+
+# Set up permissions for deploying with secretless Azure federated credentials
+# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
     build: