diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7d911ea2e..2dc59b967 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,10 +5,15 @@ on:
     tags:
       - v*
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     name: Build and release artifacts.
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1