diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 1c0d18c5..229bfdd1 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -31,8 +31,8 @@ jobs:
   check:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       packages: write 
+      contents: write # publish sbom to GH releases/tag assets
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
@@ -46,6 +46,7 @@ jobs:
           dir: .
           upload-sbom-release-assets: true
 
+
   # Build docker images
   build-images:
     runs-on: ubuntu-latest
@@ -108,7 +109,7 @@ jobs:
   scan-images:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write # For publishing assets to releases
       packages: write
     needs: [check, build-images]
     if: >