diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0613ba5..0e89552 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -10,6 +10,10 @@ on:
         # Default to truncated commit hash
         default: "0.0.0"
 
+permissions:
+  # For provenance generation
+  id-token: write
+
 jobs:
   # Build job
   build: