diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 5c88201d7..5bef911ff 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -12,12 +12,15 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install Nix
-        uses: cachix/install-nix-action@v23
+        uses: cachix/install-nix-action@v25
         with:
           extra_nix_config: |
             allowed-uris = ${{ env.ALLOWED_URIS }}
@@ -57,4 +60,4 @@ jobs:
             docker push $IMAGE_ID:$TAG
           }
           tagAndPush "marlowe-playground-server"
-          tagAndPush "marlowe-playground-client"
\ No newline at end of file
+          tagAndPush "marlowe-playground-client"