diff --git a/.github/workflows/check-dockerfile.yml b/.github/workflows/check-dockerfile.yml
index 5add77d..d9c2b1b 100644
--- a/.github/workflows/check-dockerfile.yml
+++ b/.github/workflows/check-dockerfile.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Test Dockerfile build
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2ead9b7..a731b62 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: read
+  packages: write
+
 env:
   IMAGE_NAME: php
 
@@ -21,7 +25,7 @@ jobs:
         run: docker build . --file ./Dockerfile --tag $IMAGE_NAME
 
       - name: Log into GitHub Container Registry
-        run: echo "${{ secrets.SECRET_TOKEN }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Push image to GitHub Container Registry
         run: |