diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index a34874e..66651af 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -4,6 +4,14 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read # Required for actions/checkout
+  checks: write # Set status of checks
+  issues: write # Comment the PR as we go
+  statuses: write # Set commit statuses as tests pass or fail
+  pull-requests: write # Get/comment the PR itself
+  packages: write # Write to ghcr.io
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 8dff91a..c01da4f 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -3,6 +3,14 @@ name: build-publish
 on:
   pull_request:
 
+permissions:
+  contents: read # Required for actions/checkout
+  checks: write # Set status of checks
+  issues: write # Comment the PR as we go
+  statuses: write # Set commit statuses as tests pass or fail
+  pull-requests: write # Get/comment the PR itself
+  packages: write # Write to ghcr.io
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -10,7 +18,7 @@ jobs:
       tags: ${{ steps.meta.outputs.tags }}
     steps:
     - name: Login to docker registry
-      uses: docker/login-action@v1
+      uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
@@ -30,7 +38,6 @@ jobs:
       timeout-minutes: 3
       with:
         context: .
-        file: ./Dockerfile
         push: true
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}