diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 1e274b5..5ed37fb 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -16,6 +16,11 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/go-contract-image.yml b/.github/workflows/go-contract-image.yml
index 22add8c..b121543 100644
--- a/.github/workflows/go-contract-image.yml
+++ b/.github/workflows/go-contract-image.yml
@@ -14,6 +14,8 @@ on:
     paths:
       - 'samples/go-contract/**'
 
+permissions: read-all
+
 jobs:
   docker_build:
     name: Docker build
diff --git a/.github/workflows/java-contract-image.yml b/.github/workflows/java-contract-image.yml
index bff0238..7daae4b 100644
--- a/.github/workflows/java-contract-image.yml
+++ b/.github/workflows/java-contract-image.yml
@@ -14,6 +14,8 @@ on:
     paths:
       - 'samples/java-contract/**'
 
+permissions: read-all
+
 jobs:
   docker_build:
     name: Docker build
diff --git a/.github/workflows/node-contract-image.yml b/.github/workflows/node-contract-image.yml
index ba1c5df..b0e3812 100644
--- a/.github/workflows/node-contract-image.yml
+++ b/.github/workflows/node-contract-image.yml
@@ -14,6 +14,8 @@ on:
     paths:
       - 'samples/node-contract/**'
 
+permissions: read-all
+
 jobs:
   docker_build:
     name: Docker build
diff --git a/.github/workflows/peer-image.yml b/.github/workflows/peer-image.yml
index d7fbcb0..be78110 100644
--- a/.github/workflows/peer-image.yml
+++ b/.github/workflows/peer-image.yml
@@ -23,6 +23,10 @@ permissions: read-all
 jobs:
   docker_build:
     name: Docker build
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     uses: ./.github/workflows/docker-build.yml
     with:
       image-name: ghcr.io/hyperledger-labs/fabric-builder-k8s/k8s-fabric-peer