diff --git a/.github/workflows/release-pullrequest.yaml b/.github/workflows/release-pullrequest.yaml
index 244af2e..8199f01 100644
--- a/.github/workflows/release-pullrequest.yaml
+++ b/.github/workflows/release-pullrequest.yaml
@@ -21,6 +21,10 @@ jobs:
             platform: linux/amd64
     runs-on: ${{ matrix.runner }}
 
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Prepare
         run: |
@@ -37,7 +41,7 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
@@ -49,5 +53,4 @@ jobs:
         with:
           platforms: ${{ matrix.platform }}
           push: false
-          labels: ${{ steps.meta.outputs.labels }}
-          tags: ${{ steps.meta.outputs.tags }}
\ No newline at end of file
+          labels: ${{ steps.meta.outputs.labels }}
\ No newline at end of file
diff --git a/.github/workflows/release-tag.yaml b/.github/workflows/release-tag.yaml
index c3dc73d..2b36829 100644
--- a/.github/workflows/release-tag.yaml
+++ b/.github/workflows/release-tag.yaml
@@ -21,6 +21,10 @@ jobs:
             platform: linux/amd64
     runs-on: ${{ matrix.runner }}
     
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Prepare
         run: |
@@ -50,7 +54,6 @@ jobs:
           platforms: ${{ matrix.platform }}
           push: true
           labels: ${{ steps.meta.outputs.labels }}
-          tags: ${{ steps.meta.outputs.tags }}
           outputs: type=image,"name=${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true
 
       - name: Export digest