diff --git a/.github/workflows/publish-on-release.yml b/.github/workflows/publish-on-release.yml
index a2975fbcb..f3f855bec 100644
--- a/.github/workflows/publish-on-release.yml
+++ b/.github/workflows/publish-on-release.yml
@@ -4,11 +4,6 @@ on:
   release:
     types: [published]
 
-# https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow
-permissions:
-  id-token: write # to enable use of OIDC for npm provenance
-  contents: read # to enable reading the contents of the release for publishing
-
 jobs:
   build:
     name: Build Vanilla
@@ -37,6 +32,10 @@ jobs:
     name: Publish to NPM
     needs: build
     runs-on: ubuntu-latest
+    # https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow
+    permissions:
+      id-token: write # to enable use of OIDC for npm provenance
+      contents: read # to enable reading the contents of the release for publishing
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6