diff --git a/.github/workflows/.reusable-docker-publish.yml b/.github/workflows/.reusable-docker-publish.yml
index 8bae49d2aab8d..32b12aab57012 100644
--- a/.github/workflows/.reusable-docker-publish.yml
+++ b/.github/workflows/.reusable-docker-publish.yml
@@ -22,7 +22,18 @@ jobs:
   publish:
     name: Publish ${{ inputs.source-images }} to ${{ inputs.target-images }}
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
+      - name: Cloning repo
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: depot.json
+          sparse-checkout-cone-mode: false
+
       - name: Login to Github Container Registry
         uses: docker/login-action@v3
         with:
@@ -45,8 +56,7 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
-      # Setup Docker buildx with Depot's builder so imagetools have access to Depot's cache
-      - uses: docker/setup-buildx-action@v3
+      # Setup Docker buildx with Depot builder so imagetools have access to Depot cache
       - uses: depot/use-action@v1
 
       - name: Publish Image