diff --git a/.github/workflows/codeql-code-scanning.yml b/.github/workflows/codeql-code-scanning.yml
index 13501a4..412510a 100644
--- a/.github/workflows/codeql-code-scanning.yml
+++ b/.github/workflows/codeql-code-scanning.yml
@@ -22,6 +22,14 @@ on:
 #   group: ci-${{ github.event.pull_request.number || github.ref }}
 #   cancel-in-progress: true
 
+permissions:
+  # required for all workflows
+  security-events: write
+
+  # only required for workflows in private repositories
+  actions: read
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -35,14 +43,6 @@ jobs:
       matrix:
         language: ['javascript']
 
-    permissions:
-      # required for all workflows
-      security-events: write
-
-      # only required for workflows in private repositories
-      actions: read
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4