diff --git a/.github/workflows/build-test-deploy.yml b/.github/workflows/build-test-deploy.yml
index 57afdad..1dea6d1 100644
--- a/.github/workflows/build-test-deploy.yml
+++ b/.github/workflows/build-test-deploy.yml
@@ -31,6 +31,8 @@ jobs:
   build-package:
     name: Build & verify package
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -109,6 +111,9 @@ jobs:
     if: github.event.action == 'published'
     runs-on: ubuntu-latest
     needs: [build-package, test]
+    permissions:
+      id-token: write
+      attestations: write
 
     steps:
       - name: Download packages built by build-and-inspect-python-package