diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 539198d..25df9e5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,12 @@ env:
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
+permissions:
+  checks: write
+  id-token: write # needed for npm publish with provenance
+  contents: write # needed for github release
+  pull-requests: write # needed for coverage comment
+
 jobs:
   lint:
     name: Lint
@@ -78,9 +84,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: [lint,test]
     if: github.ref == 'refs/heads/main'
-    permissions:
-      id-token: write # needed for npm publish with provenance
-      contents: write # needed for github release
 
     steps:
       - uses: actions/checkout@v4