diff --git a/template/.github/workflows/ci.yaml.jinja b/template/.github/workflows/ci.yaml.jinja
index a99e9ae5..5f5df0ba 100644
--- a/template/.github/workflows/ci.yaml.jinja
+++ b/template/.github/workflows/ci.yaml.jinja
@@ -12,6 +12,7 @@ env:
 
 permissions:
   id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact)
+  contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined
 
 jobs:
   get-values:
diff --git a/template/.github/workflows/publish.yaml.jinja b/template/.github/workflows/publish.yaml.jinja
index a56bba2a..153b8f04 100644
--- a/template/.github/workflows/publish.yaml.jinja
+++ b/template/.github/workflows/publish.yaml.jinja
@@ -14,6 +14,7 @@ env:
 
 permissions:
   id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact)
+  contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined
 
 jobs:
   get-values:
diff --git a/template/.github/workflows/publish_to_staging.yaml.jinja b/template/.github/workflows/publish_to_staging.yaml.jinja
index a6ee92bb..8d8aadc0 100644
--- a/template/.github/workflows/publish_to_staging.yaml.jinja
+++ b/template/.github/workflows/publish_to_staging.yaml.jinja
@@ -8,7 +8,8 @@ env:
   PRE_COMMIT_HOME: ${{ github.workspace }}/.precommit_cache
 
 permissions:
-    id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact)
+  id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact)
+  contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined
 
 jobs:
   lint: