diff --git a/.github/workflows/publish-website.yml b/.github/workflows/publish-website.yml
index 100404fd0a..17ae6e2cba 100644
--- a/.github/workflows/publish-website.yml
+++ b/.github/workflows/publish-website.yml
@@ -9,11 +9,7 @@ on:
   # Allow running this workflow manually from the Actions tab.
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
@@ -28,6 +24,10 @@ jobs:
 
     name: "Build the website"
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read # to read the contents of the repo
+
     steps:
       # By default use the `gh-pages` branch.
       # For testing changes to the workflow or the scripts, use the PR branch
@@ -84,6 +84,10 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
 
+    permissions:
+      pages: write # to deploy to Pages
+      id-token: write # to verify the deployment originates from an appropriate source
+
     steps:
       - name: Deploy to GitHub Pages
         id: deployment