diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
index 894426a..872ede8 100644
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -16,6 +16,9 @@ on:
 jobs:
   draft-release:
     uses: 'google-github-actions/.github/.github/workflows/draft-release.yml@v3' # ratchet:exclude
+    permissions:
+      contents: 'read'
+      pull-requests: 'write'
     with:
       version_strategy: '${{ github.event.inputs.version_strategy }}'
     secrets:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0b215b3..b9bd2f2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,11 +6,19 @@ on:
       - 'main'
       - 'release/**/*'
 
+defaults:
+  run:
+    shell: 'bash'
+
 jobs:
   release:
     uses: 'google-github-actions/.github/.github/workflows/release.yml@v3' # ratchet:exclude
     secrets:
       ACTIONS_BOT_TOKEN: '${{ secrets.ACTIONS_BOT_TOKEN }}'
+    permissions:
+      attestations: 'write'
+      contents: 'write'
+      packages: 'write'
 
   publish:
     needs: