diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
index 38a9aa9ef..63bdb74a5 100644
--- a/.github/workflows/_meta-build.yaml
+++ b/.github/workflows/_meta-build.yaml
@@ -61,6 +61,7 @@ jobs:
   build-container:
     runs-on: ubuntu-latest
     permissions:
+      packages: write # Required to push images to ghcr.io
       security-events: write # Required to upload trivy's SARIF output
     needs:
       - build-java
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index 2456500d9..d341077f8 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -25,6 +25,7 @@ jobs:
       app-version: "snapshot"
       publish-container: ${{ github.ref == 'refs/heads/main' }}
     permissions:
+      packages: write # Required to push images to ghcr.io
       security-events: write # Required to upload trivy's SARIF output
     secrets:
       registry-0-usr: ${{ github.repository_owner }}
diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml
index 89cc44f9d..61cce0de8 100644
--- a/.github/workflows/ci-publish.yaml
+++ b/.github/workflows/ci-publish.yaml
@@ -39,6 +39,7 @@ jobs:
       app-version: ${{ needs.read-version.outputs.version }}
       publish-container: true
     permissions:
+      packages: write # Required to push images to ghcr.io
       security-events: write # Required to upload trivy's SARIF output
     secrets:
       registry-0-usr: ${{ github.repository_owner }}
diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml
index 3ac7f2423..e2280f44c 100644
--- a/.github/workflows/ci-release.yaml
+++ b/.github/workflows/ci-release.yaml
@@ -38,6 +38,10 @@ jobs:
 
   create-release:
     runs-on: ubuntu-latest
+    permissions:
+      # Required for pushing changes via git command (rather than via GitHub API).
+      # TODO: Use bot credentials for git, or rewrite the "Commit Version" step to use API instead.
+      contents: write
     needs:
       - prepare-release