diff --git a/actions/ql/lib/ext/config/actions_permissions.yml b/actions/ql/lib/ext/config/actions_permissions.yml
index 6e0081973de6..b2862794383e 100644
--- a/actions/ql/lib/ext/config/actions_permissions.yml
+++ b/actions/ql/lib/ext/config/actions_permissions.yml
@@ -22,16 +22,21 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
+      - ["actions/deploy-pages", "pages: write"]
+      - ["actions/deploy-pages", "id-token: write"]
+      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]      
+      - ["actions/versions-package-tools", "contents: read"]
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]      
+      - ["actions/reusable-workflows", "contents: read"]
       - ["actions/reusable-workflows", "actions: read"]
+      - ["actions/ai-inference", "contents: read"]
+      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
+      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-
-      
+      # No permissions needed for actions/configure-pages
diff --git a/actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md b/actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md
new file mode 100644
index 000000000000..8d6c87fe7a76
--- /dev/null
+++ b/actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml
new file mode 100644
index 000000000000..6530bd5f08e0
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml
@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/ai-inference
diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml
new file mode 100644
index 000000000000..1a10bd6a7d6c
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml
@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/deploy-pages
diff --git a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml
new file mode 100644
index 000000000000..b6ae16bf9e26
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml
@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/delete-package-versions
diff --git a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
index 1a3c36c78ca1..52a045e0de21 100644
--- a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
+++ b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
@@ -3,3 +3,6 @@
 | .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
 | .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
 | .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
+| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
+| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
+| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |