diff --git a/.github/workflows/myworkflow.yml b/.github/workflows/myworkflow.yml
index 5c142c1..87206ca 100644
--- a/.github/workflows/myworkflow.yml
+++ b/.github/workflows/myworkflow.yml
@@ -11,8 +11,6 @@ on:
 jobs:
   myjob:
     name: My job
-    permissions:
-      id-token: write
     environment: production
     runs-on: ubuntu-latest
     steps:
@@ -30,6 +28,8 @@ jobs:
       # TODO: publish should be separate job to minimize "permissions: id-token: write" scope
       - name: publish
         if: github.event_name == 'release'
+        permissions:
+          id-token: write
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           repository-url: https://test.pypi.org/legacy/