diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index aac9ceb72..539c4c581 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -20,6 +20,10 @@ on:
   schedule:
     - cron: "*/10 * * * *"
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   license:
     name: License Scanner
@@ -131,9 +135,6 @@ jobs:
             "AgnostiqHQ/covalent-awslambda-plugin",
             "AgnostiqHQ/covalent-braket-plugin",
           ]
-    permissions:
-      id-token: write
-      contents: read
     steps:
       - name: Build executor_base_images
         uses: peter-evans/repository-dispatch@v2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 86bbf065d..2e5b1da83 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,6 +40,10 @@ on:
         type: string
         default: "master"
 
+permissions:
+  id-token: write
+  contents: read
+
 env:
   PAUL_BLART: >
     '['
@@ -266,9 +270,6 @@ jobs:
 
   docker:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
     steps:
       - name: Check out release tag
         uses: actions/checkout@v2