diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5da1436..66d0ccc 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -22,6 +22,9 @@ permissions:
         required: true
 jobs:
   nix:
+    permissions:
+      contents: read
+      packages: write
     secrets:
       CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
       OPERATOR_PRIVATE_KEY: ${{ secrets.OPERATOR_PRIVATE_KEY }}
diff --git a/modules/devenv/integrations/github/nix.nix b/modules/devenv/integrations/github/nix.nix
index dccf414..1d3b179 100644
--- a/modules/devenv/integrations/github/nix.nix
+++ b/modules/devenv/integrations/github/nix.nix
@@ -309,6 +309,10 @@ in
         jobs = {
           nix = {
             uses = "./.github/workflows/nix.yaml";
+            permissions = {
+              contents = "read";
+              packages = "write";
+            };
             secrets = {
               OPERATOR_PRIVATE_KEY = "\${{ secrets.OPERATOR_PRIVATE_KEY }}";
               CACHIX_AUTH_TOKEN = "\${{ secrets.CACHIX_AUTH_TOKEN }}";