diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5d29b15..b69e1e0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -50,7 +50,8 @@ jobs:
     name: Test attest action
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      attestations: write
       id-token: write
     env:
       SUBJECT: /repos/${{ github.repository }}/tarball/${{ github.sha }}
diff --git a/README.md b/README.md
index 2845003..2ff5a3a 100644
--- a/README.md
+++ b/README.md
@@ -31,11 +31,11 @@ attest:
    ```yaml
    permissions:
      id-token: write
-     contents: write # TODO: Update this
+     attestations: write
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
-   necessary to request a Sigstore signing certificate. The `contents`
+   necessary to request a Sigstore signing certificate. The `attestations`
    permission is necessary to persist the attestation.
 
 1. Add the following to your workflow after your artifact has been built:
@@ -128,7 +128,8 @@ jobs:
   build:
     permissions:
       id-token: write
-      contents: write
+      contents: read
+      attestations: write
 
     steps:
       - name: Checkout
@@ -186,7 +187,8 @@ jobs:
     permissions:
       id-token: write
       packages: write
-      contents: write
+      contents: read
+      attestations: write
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}