diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7a4b5f68..a56e85e9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,33 @@ on:
 
 concurrency: ${{ github.workflow }}--${{ github.ref }}
 
+permissions:
+  actions: write
+  checks: write
+  contents: write
+  deployments: write
+  id-token: write
+  issues: write
+  discussions: write
+  packages: write
+  pages: write
+  pull-requests: write
+  repository-projects: write
+  security-events: write
+  statuses: write
+  workflows: write
+
+env:
+  KEYFILE_PASSPHRASE: '${{secrets.KEYFILE_PASSPHRASE}}'
+  AWS_BUCKET: '${{secrets.AWS_BUCKET}}'
+  AWS_ACCESS_KEY_ID: '${{secrets.AWS_ACCESS_KEY_ID}}'
+  AWS_SECRET_ACCESS_KEY: '${{secrets.AWS_SECRET_ACCESS_KEY}}'
+  AZURE_ACCOUNT_ID: '${{secrets.AZURE_ACCOUNT_ID}}'
+  AZURE_ACCOUNT_KEY: '${{secrets.AZURE_ACCOUNT_KEY}}'
+  AZURE_CONTAINER_NAME: '${{secrets.AZURE_CONTAINER_NAME}}'
+  AWS_REGION: '${{secrets.AWS_REGION}}'
+  NPM_TOKEN: '${{ secrets.NPM_TOKEN }}'
+
 jobs:
   main:
     name: ${{matrix.node}}