diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3e32c70..af9a3f8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,8 +2,6 @@ name: CI
 
 on: push
 
-permissions: write-all
-
 jobs:
   quality:
     runs-on: ubuntu-latest
@@ -22,6 +20,9 @@ jobs:
         run: biome ci .
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout code & submodules
         uses: actions/checkout@v4
@@ -45,4 +46,4 @@ jobs:
       - name: "Publish to NPM"
         uses: JS-DevTools/npm-publish@v3
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          token: ${{ secrets.GITHUB_TOKEN }}