diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3b3bc1ab..4ec0da2c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ jobs:
     if: github.event_name != 'pull_request'
     uses: ./.github/workflows/source-provenance.yml
     permissions:
-      contents: read
+      contents: write
       attestations: write
       id-token: write
 
diff --git a/.github/workflows/source-provenance.yml b/.github/workflows/source-provenance.yml
index 09ebab93..63b8922c 100644
--- a/.github/workflows/source-provenance.yml
+++ b/.github/workflows/source-provenance.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main'
     permissions:
-      contents: read
+      contents: write
       attestations: write
       id-token: write
 
@@ -38,7 +38,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          persist-credentials: false
+          persist-credentials: true
 
       - name: Attest source governance (SLSA Source Track)
         uses: slsa-framework/source-actions/slsa_with_provenance@v0.1.0