diff --git a/.github/index.pkl b/.github/index.pkl
index 1a56fecfae..666aa7a08d 100644
--- a/.github/index.pkl
+++ b/.github/index.pkl
@@ -17,6 +17,7 @@ amends "@pkl.impl.ghactions/PklCI.pkl"
 
 import "@gha/actions/Common.pkl"
 import "@gha/actions/Setup.pkl"
+import "@gha/Context.pkl"
 import "@gha/Workflow.pkl"
 
 build = baseWorkflow
@@ -64,6 +65,9 @@ local testJob: Workflow.Job = new {
 local publishJob: Workflow.Job = new {
   name = "Generate and publish docs"
   `runs-on` = "ubuntu-latest"
+  permissions {
+    contents = "write"
+  }
   steps {
     new Common.Checkout {
       with {
@@ -79,6 +83,9 @@ local publishJob: Workflow.Job = new {
       }
     }
     new {
+      env {
+        ["GH_TOKEN"] = Context.github.token
+      }
       name = "Generate and publish docs"
       run = "./gradlew check generateAndPublishDocs --refresh-dependencies"
     }
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 41a178640c..348f8dc203 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -16,6 +16,8 @@ permissions:
 jobs:
   build-and-publish-docs:
     name: Generate and publish docs
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v5
@@ -28,6 +30,8 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Generate and publish docs
+      env:
+        GH_TOKEN: ${{ github.token }}
       run: ./gradlew check generateAndPublishDocs --refresh-dependencies
   trigger-downstream-builds:
     if: github.repository_owner == 'apple'