diff --git a/.github/workflows/ecrbuild-template.yml b/.github/workflows/ecrbuild-template.yml
index d80a72eb5..5aa8934d1 100644
--- a/.github/workflows/ecrbuild-template.yml
+++ b/.github/workflows/ecrbuild-template.yml
@@ -114,7 +114,7 @@ jobs:
                   fi
 
             - name: Build, tag, and push image to Amazon ECR
-              uses: docker/build-push-action@v5
+              uses: docker/build-push-action@v6
               id: build-image
               env:
                   REGISTRY_REF: ${{steps.login-ecr.outputs.registry}}/${{env.ECR_REPOSITORY_PREFIX}}-${{env.PACKAGE}}:cache
diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml
index a0b65beb7..97e96c291 100644
--- a/.github/workflows/on_pr.yml
+++ b/.github/workflows/on_pr.yml
@@ -11,6 +11,10 @@ on:
 env:
     AWS_REGION: us-east-1
 
+permissions:
+    id-token: write
+    contents: read
+
 jobs:
     ci:
         uses: ./.github/workflows/ci.yml