diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index ca9c9f0..dd97c64 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -8,6 +8,8 @@ on:
     types:
       - published
 
+permissions: {}
+
 jobs:
   format:
     name: Format
@@ -40,7 +42,6 @@ jobs:
     runs-on: ubuntu-24.04
 
     permissions:
-      actions: write
       contents: read
       id-token: write
 
@@ -94,6 +95,7 @@ jobs:
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
           owner: bitwarden
           repositories: passwordless-devops
+          permission-actions: write # for running workflows in other repos
 
       - name: Dispatch deployment
         env: