diff --git a/.github/workflows/orchestrator.yml b/.github/workflows/orchestrator.yml
index afe527c620..40a026f5ca 100644
--- a/.github/workflows/orchestrator.yml
+++ b/.github/workflows/orchestrator.yml
@@ -8,7 +8,22 @@ on:
       - 'release/**'
   merge_group:
 
-permissions: 'read-all'
+permissions:
+  contents: 'read'
+  packages: 'write'
+  pull-requests: 'write'
+  security-events: 'write'
+  checks: 'write'
+  statuses: 'write'
+  actions: 'read'
+  attestations: 'read'
+  deployments: 'read'
+  discussions: 'read'
+  issues: 'read'
+  models: 'read'
+  pages: 'read'
+  repository-projects: 'read'
+  id-token: 'read'
 
 concurrency:
   group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'