diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index c2dcc2972f1..8e7fe54f018 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -63,6 +63,7 @@ jobs:
       DRY_RUN: ${{ inputs.dry_run }}
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       contents: write
       pull-requests: write
     steps:
diff --git a/.github/workflows/pr-patch-check-event.yml b/.github/workflows/pr-patch-check-event.yml
index f7605f033ce..b274b86b87b 100644
--- a/.github/workflows/pr-patch-check-event.yml
+++ b/.github/workflows/pr-patch-check-event.yml
@@ -20,6 +20,7 @@ permissions: {}
 jobs:
   dispatch-job:
     permissions:
+      id-token: write
       contents: read
       actions: write
     env:
diff --git a/.github/workflows/sync-mirror-event.yml b/.github/workflows/sync-mirror-event.yml
index 13c9563846a..4a073c9b2b3 100644
--- a/.github/workflows/sync-mirror-event.yml
+++ b/.github/workflows/sync-mirror-event.yml
@@ -10,14 +10,14 @@ on:
       - "v*.*.*"
       - "release-*"
 
-permissions:
-  id-token: write
+permissions: {}
 
 # This is run after the pull request has been merged, so we'll run against the target branch
 jobs:
   dispatch-job:
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       contents: read
       actions: write
     env: