diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fe4a7d1f0..48e6c0b7d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,6 +23,9 @@ jobs:
     if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
     uses: ./.github/workflows/trigger-deploy.yml
     secrets: inherit
+    permissions:
+      id-token: write
+      contents: read
 
   # Build AMD64 images and push to ECR immediately (+ GHCR for main)
   build-amd64: