diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
index 55cf394983b..dfe0436912d 100644
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@@ -65,6 +65,9 @@ jobs:
   bundle-desktop:
     needs: [prepare-version]
     uses: ./.github/workflows/bundle-desktop.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       version: ${{ needs.prepare-version.outputs.version }}
       signing: false
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5152d304953..dc7f03815a5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -120,6 +120,9 @@ jobs:
   # Faster Desktop App build for PRs only
   bundle-desktop-unsigned:
     uses: ./.github/workflows/bundle-desktop.yml
+    permissions:
+      id-token: write
+      contents: read
     needs: changes
     if: (github.event_name == 'pull_request' || github.event_name == 'merge_group') && (needs.changes.outputs.code == 'true' || github.event_name != 'pull_request')
     with:
diff --git a/.github/workflows/pr-comment-bundle-intel.yml b/.github/workflows/pr-comment-bundle-intel.yml
index e0f63c69987..cc15cfd842a 100644
--- a/.github/workflows/pr-comment-bundle-intel.yml
+++ b/.github/workflows/pr-comment-bundle-intel.yml
@@ -63,6 +63,9 @@ jobs:
     needs: [trigger-on-command]
     if: ${{ needs.trigger-on-command.outputs.continue == 'true' }}
     uses: ./.github/workflows/bundle-desktop-intel.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       signing: false
       ref: ${{ needs.trigger-on-command.outputs.head_sha }}
diff --git a/.github/workflows/pr-comment-bundle.yml b/.github/workflows/pr-comment-bundle.yml
index 0561682a2b3..3aff2021e77 100644
--- a/.github/workflows/pr-comment-bundle.yml
+++ b/.github/workflows/pr-comment-bundle.yml
@@ -107,6 +107,9 @@ jobs:
     needs: [trigger-on-command]
     if: ${{ needs.trigger-on-command.outputs.continue == 'true' }}
     uses: ./.github/workflows/bundle-desktop.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       signing: false
       ref: ${{ needs.trigger-on-command.outputs.pr_sha }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 644518a5c1c..a475db4c48c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -44,6 +44,9 @@ jobs:
   # ------------------------------------------------------------
   bundle-desktop:
     uses: ./.github/workflows/bundle-desktop.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       signing: true
     secrets:
@@ -54,6 +57,9 @@ jobs:
   # ------------------------------------------------------------
   bundle-desktop-intel:
     uses: ./.github/workflows/bundle-desktop-intel.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       signing: true
     secrets: