diff --git a/.github/workflows/on-release-published.yml b/.github/workflows/on-release-published.yml
index 5d968974ed..822ece8f48 100644
--- a/.github/workflows/on-release-published.yml
+++ b/.github/workflows/on-release-published.yml
@@ -5,12 +5,6 @@ on:
     types:
       - published
 
-# These permissions are needed to assume roles from Github's OIDC.
-# https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets
-permissions:
-  contents: read
-  id-token: write
-
 jobs:
   linting-and-tests:
     name: Linting and tests
@@ -21,6 +15,11 @@ jobs:
     needs:
       - linting-and-tests
     runs-on: ubuntu-latest
+    # These permissions are needed to assume roles from Github's OIDC.
+    # https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout project
         uses: actions/checkout@v3
@@ -79,6 +78,11 @@ jobs:
     needs:
       - linting-and-tests
     runs-on: ubuntu-latest
+    # These permissions are needed to assume roles from Github's OIDC.
+    # https://github.com/grafana/shared-workflows/tree/main/actions/get-vault-secrets
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout project
         uses: actions/checkout@v3