diff --git a/.github/workflows/build-fleetd-base-msi.yml b/.github/workflows/build-fleetd-base-msi.yml
index 78e9602ad6..fa7e21424d 100644
--- a/.github/workflows/build-fleetd-base-msi.yml
+++ b/.github/workflows/build-fleetd-base-msi.yml
@@ -69,7 +69,11 @@ jobs:
   code-sign:
     needs: build
     uses: ./.github/workflows/code-sign-windows.yml
+    permissions:
+      id-token: write # required for attestations
+      attestations: write # required for attestations
     with:
+      attest: "true"
       filename: fleetd-base.msi
       upload_name: fleetd-base-msi
     secrets:
diff --git a/.github/workflows/goreleaser-orbit.yaml b/.github/workflows/goreleaser-orbit.yaml
index be72e69f38..35007083e1 100644
--- a/.github/workflows/goreleaser-orbit.yaml
+++ b/.github/workflows/goreleaser-orbit.yaml
@@ -203,6 +203,9 @@ jobs:
   code-sign-windows:
     needs: goreleaser-windows
     uses: ./.github/workflows/code-sign-windows.yml
+    permissions:
+      id-token: write # required for attestations
+      attestations: write # required for attestations
     with:
       attest: 'true'
       filename: orbit.exe
@@ -253,6 +256,9 @@ jobs:
   code-sign-windows-arm64:
     needs: goreleaser-windows-arm64
     uses: ./.github/workflows/code-sign-windows.yml
+    permissions:
+      id-token: write # required for attestations
+      attestations: write # required for attestations
     with:
       attest: 'true'
       filename: orbit.exe