diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index b26da74f..48600189 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -18,6 +18,7 @@ jobs:
     uses: ./.github/workflows/wc-build-push-test.yml
     permissions:
       actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
+      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
       attestations: write # is needed by actions/attest-build-provenance to push attestations
       contents: write # is needed by anchore/sbom-action for artifact uploads
       id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
@@ -42,6 +43,7 @@ jobs:
       TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
     permissions:
       actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
+      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
       attestations: write # is needed by actions/attest-build-provenance to push attestations
       contents: write # is needed by anchore/sbom-action for artifact uploads
       id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token