diff --git a/.github/workflows/migrate-sboms-to-oci.yml b/.github/workflows/migrate-sboms-to-oci.yml
index 19359333..119b2f6d 100644
--- a/.github/workflows/migrate-sboms-to-oci.yml
+++ b/.github/workflows/migrate-sboms-to-oci.yml
@@ -7,6 +7,11 @@ concurrency:
   group: migrate-sboms
   cancel-in-progress: false
 
+# OCI S3 push uses OCI_S3_ACCESS_KEY + OCI_S3_SECRET_KEY; default
+# GITHUB_TOKEN only needs read for the checkout.
+permissions:
+  contents: read
+
 jobs:
   migrate:
     runs-on: ubuntu-latest