diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
index eac7be6..c935b76 100644
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -8,6 +8,11 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
 jobs:
   build:
     name: Build
@@ -20,9 +25,6 @@ jobs:
         node: [21]
         goos: [linux]
         goarch: [arm]
-    permissions:
-      contents: read
-      pull-requests: write
 
     steps:
       - name: Checkout
@@ -68,9 +70,6 @@ jobs:
   comment:
     runs-on: ubuntu-latest
     needs: build
-    permissions:
-      contents: read
-      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4