diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f275f08..ecb23df 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -74,9 +74,6 @@ jobs:
           labels: |
             org.opencontainers.image.title=ruby
 
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.2.0
-
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
@@ -135,10 +132,18 @@ jobs:
     needs:
       - build
 
+    permissions:
+      id-token: write # keyless Cosign signatures
+      packages: write # GHCR
+      contents: write # git tags
+
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.2.0
+
       - name: Download digests
         uses: actions/download-artifact@v4
         with: