diff --git a/.github/workflows/sign-cli.yml b/.github/workflows/sign-cli.yml
index d62d35dac3..cd2351c39d 100644
--- a/.github/workflows/sign-cli.yml
+++ b/.github/workflows/sign-cli.yml
@@ -7,8 +7,9 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read
+  contents: write
   actions: read
+  id-token: write
 
 jobs:
   sign-cli:
@@ -45,7 +46,6 @@ jobs:
           github-artifact-id: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }}
           wait-for-completion: true
           output-artifact-directory: signed-opencode-cli
-          github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload signed Windows CLI
         uses: actions/upload-artifact@v4