diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index f465bee..46637d3 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -126,6 +126,8 @@ jobs:
         - krata-guest-init
     name: nightly oci build ${{ matrix.component }}
     permissions:
+      contents: read
+      id-token: write
       packages: write
     steps:
     - name: harden runner
diff --git a/.github/workflows/release-assets.yml b/.github/workflows/release-assets.yml
index 9dc3334..3fbcb9c 100644
--- a/.github/workflows/release-assets.yml
+++ b/.github/workflows/release-assets.yml
@@ -123,7 +123,8 @@ jobs:
         - krata-guest-init
     name: release-assets oci ${{ matrix.component }}
     permissions:
-      contents: write
+      contents: read
+      id-token: write
       packages: write
     steps:
     - name: harden runner
diff --git a/nightly b/nightly
new file mode 100644
index 0000000..e69de29